diff options
| author | Samuel Moelius <sam.moelius@trailofbits.com> | 2026-06-05 18:52:15 +0300 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2026-06-18 01:37:46 +0300 |
| commit | 5108f4765637bd0ac5ea2897dc7d537486a09885 (patch) | |
| tree | 3e89137a491550641ed40cc68f6e972904093944 | |
| parent | c7fdbc2c2f26b9c397eb3aad2fdc54dbd85f68e1 (diff) | |
| download | linux-5108f4765637bd0ac5ea2897dc7d537486a09885.tar.xz | |
fat: reject BPB volumes whose data area starts beyond total sectors
fat_fill_super() subtracts sbi->data_start from the BPB total sector count
before computing the number of clusters. A malformed image can declare a
total sector count smaller than data_start, causing the subtraction to
underflow and the mount code to derive a plausible cluster count from the
FAT length instead.
Reject such images before the subtraction. In QEMU, a crafted FAT image
with total_sectors=2 and data_start=3 mounted successfully before the fix
and reading a file returned bytes stored past the BPB-declared end of the
volume. With this change, the same image is rejected during mount.
Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260605155216.2126545-1-sam.moelius@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
| -rw-r--r-- | fs/fat/inode.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/fat/inode.c b/fs/fat/inode.c index b032bbc6855c..3aa52481ad5c 100644 --- a/fs/fat/inode.c +++ b/fs/fat/inode.c @@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc, if (total_sectors == 0) total_sectors = bpb.fat_total_sect; + if (total_sectors < sbi->data_start) { + if (!silent) + fat_msg(sb, KERN_ERR, + "data area starts beyond volume (%lu > %u)", + sbi->data_start, total_sectors); + goto out_invalid; + } + total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus; if (!is_fat32(sbi)) |
