From 87d85139a96a39429120cca838e739408ef971a2 Mon Sep 17 00:00:00 2001
From: Tom Rini <trini@konsulko.com>
Date: Tue, 9 Dec 2025 15:23:01 -0600
Subject: [PATCH] fs: fat: Perform sanity checks on getsize in get_fatent()

We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.

This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.

Signed-off-by: Tom Rini <trini@konsulko.com>
---
 fs/fat/fat.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 89f2acbba1e..9ce5df59f9b 100644
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -216,6 +216,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
 		if (flush_dirty_fat_buffer(mydata) < 0)
 			return -1;
 
+		if (getsize > FATBUFBLOCKS) {
+			debug("getsize is too large for bufptr\n");
+			getsize = FATBUFBLOCKS;
+		}
+
 		if (disk_read(startblock, getsize, bufptr) < 0) {
 			debug("Error reading FAT blocks\n");
 			return ret;
-- 
2.47.3