From 0c43c5e86aa3127b9c6d2331565c52c39f1417a1 Mon Sep 17 00:00:00 2001
From: chandan <chandan@linux.vnet.ibm.com>
Date: Tue, 11 Jul 2017 19:17:09 +0530
Subject: [PATCH] get_fs_type: Validate fs type string argument

References: bsc#1082943
Patch-mainline: submitted, https://patchwork.kernel.org/patch/9834735/

On ppc64, When a non-nul terminated string is passed as an argument to
the mount(2) syscall, copy_mount_string() ends up allocating 64k (the
PAGE_SIZE on ppc64) worth of space for holding the string in kernel's
address space.

Later, in set_precision() (invoked indirectly by get_fs_type()), we end
up assigning 65535 as the value to 'struct printf_spec'->precision
member. This field has a width of 16 bits and hence a truncated version
of the original value ends up being assigned. This causes the
"WARN_ONCE(spec->precision != prec, "precision %d too large", prec)"
statement inside set_precision() to be executed.

This commit fixes the bug by validating the length of the "filesystem
type" argument passed to get_fs_type() function.

Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Suggested-by: Joe Perches <joe@perches.com>
Acked-by: Michal Suchanek <msuchanek@suse.de>
---
 fs/filesystems.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/filesystems.c b/fs/filesystems.c
index cac75547d35c..dd756b0b9261 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -274,6 +274,9 @@ struct file_system_type *get_fs_type(const char *name)
 	const char *dot = strchr(name, '.');
 	int len = dot ? dot - name : strlen(name);
 
+       if (len >= PATH_MAX)
+               return NULL;
+
 	fs = __get_fs_type(name, len);
 	if (!fs && (request_module("fs-%.*s", len, name) == 0))
 		fs = __get_fs_type(name, len);
-- 
2.13.6