fs: fat: Perform sanity checks on getsize in get_fatent()

We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.

This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.

Signed-off-by: Tom Rini <trini@konsulko.com>

diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 89f2acbba1ef64d3e84df67f967e9bddaebb86b1..9ce5df59f9ba950a1b766158c8384598ae23ed65 100644 (file)
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -216,6 +216,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
                if (flush_dirty_fat_buffer(mydata) < 0)
                        return -1;
 
+               if (getsize > FATBUFBLOCKS) {
+                       debug("getsize is too large for bufptr\n");
+                       getsize = FATBUFBLOCKS;
+               }
+
                if (disk_read(startblock, getsize, bufptr) < 0) {
                        debug("Error reading FAT blocks\n");
                        return ret;