From: Tom Rini <trini@konsulko.com>
Date: Tue, 9 Dec 2025 21:23:01 +0000 (-0600)
Subject: fs: fat: Perform sanity checks on getsize in get_fatent()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87d85139a96a39429120cca838e739408ef971a2;p=thirdparty%2Fu-boot.git

fs: fat: Perform sanity checks on getsize in get_fatent()

We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.

This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.

Signed-off-by: Tom Rini <trini@konsulko.com>
---

diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 89f2acbba1e..9ce5df59f9b 100644
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -216,6 +216,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
 		if (flush_dirty_fat_buffer(mydata) < 0)
 			return -1;
 
+		if (getsize > FATBUFBLOCKS) {
+			debug("getsize is too large for bufptr\n");
+			getsize = FATBUFBLOCKS;
+		}
+
 		if (disk_read(startblock, getsize, bufptr) < 0) {
 			debug("Error reading FAT blocks\n");
 			return ret;