CVE-2021-3995

An unprivileged local attacker can unmount FUSE filesystems belonging to another user whose UID, when expressed as a decimal string, is a prefix of the attacker's UID string. For example, if the victim's UID is `123` and the attacker's UID is `1234`, the old `strncmp(user_id, uidstr, sz)` comparison only checks the first `sz` characters (the length of the victim's UID string), so `"1234"` matches the prefix `"123"`. The attacker triggers the bug by calling `umount` on a FUSE mount point they do not own, causing a denial of service to applications relying on that filesystem [ref_id=1].

The vulnerability is in the `is_fuse_usermount()` function in libmount (file `libmount/src/umount.c`). The old code used `mnt_optstr_get_option()` to retrieve the `user_id` mount option as a raw string, then compared it with a `snprintf`-formatted string of the current user's UID using `strncmp`. A new helper `mnt_optstr_get_uid()` was added to `libmount/src/optstr.c` to perform a proper numeric UID comparison.

The patch replaces the string-based UID comparison with a proper numeric comparison. Instead of retrieving the `user_id` option as a raw string via `mnt_optstr_get_option()` and comparing with `strncmp`, the new code calls `mnt_optstr_get_uid()` which parses the option value to a `uid_t` integer and returns `uid == entry_uid`. This eliminates the prefix-matching logic error. The new helper function `mnt_optstr_get_uid()` also validates that the parsed value fits within `uid_t` bounds, returning an error on overflow [ref_id=1].