Re: [PATCH] fat: reject BPB volumes whose data area starts beyond total sectors

Next message: Lizhi Hou: "Re: [PATCH V1] accel/amdxdna: Clear sva pointer after unbind"
Previous message: Vishwaroop A: "[PATCH v4 1/3] spi: tegra210-quad: Convert to hard IRQ with high-priority workqueue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: OGAWA Hirofumi

Date: Wed Jun 10 2026 - 02:28:07 EST

Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx> writes:

> fat_fill_super() subtracts sbi->data_start from the BPB total sector
> count before computing the number of clusters. A malformed image can
> declare a total sector count smaller than data_start, causing the
> subtraction to underflow and the mount code to derive a plausible
> cluster count from the FAT length instead.
>
> Reject such images before the subtraction. In QEMU, a crafted FAT image
> with total_sectors=2 and data_start=3 mounted successfully before the
> fix and reading a file returned bytes stored past the BPB-declared end
> of the volume. With this change, the same image is rejected during
> mount.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>

Acked-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>

> ---
> fs/fat/inode.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/fat/inode.c b/fs/fat/inode.c
> index 28f78df086ef..168a278cc60c 100644
> --- a/fs/fat/inode.c
> +++ b/fs/fat/inode.c
> @@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc,
> if (total_sectors == 0)
> total_sectors = bpb.fat_total_sect;
>
> + if (total_sectors < sbi->data_start) {
> + if (!silent)
> + fat_msg(sb, KERN_ERR,
> + "data area starts beyond volume (%lu > %u)",
> + sbi->data_start, total_sectors);
> + goto out_invalid;
> + }
> +
> total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus;
>
> if (!is_fat32(sbi))

--
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>