erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte.  Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.

Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 fs/erofs/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
index 4b3d21402e10..a188c570087a 100644
--- a/fs/erofs/inode.c
+++ b/fs/erofs/inode.c
@@ -351,7 +351,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg)
 		ret = clear_user(arg, 1);
 	else
 		ret = copy_to_user(arg, sbi->volume_name,
-				   strlen(sbi->volume_name));
+				   strlen(sbi->volume_name) + 1);
 	return ret ? -EFAULT : 0;
 }
 
-- 
2.43.0

On 2026/4/1 14:13, Zhan Xusheng wrote:
> erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
> the length to copy_to_user(), which copies the label string without
> the trailing NUL byte.  Since FS_IOC_GETFSLABEL callers expect a
> NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
> pre-zero the buffer, this can cause userspace to read past the label
> into uninitialised stack memory.
> 
> Fix this by using strlen() + 1 to include the NUL terminator,
> consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.
> 
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>

Thanks,

Fixes: 1cf12c717741 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>

Thanks,
Gao Xiang