fat: reject BPB volumes whose data area starts beyond total sectors

fat_fill_super() subtracts sbi->data_start from the BPB total sector count
before computing the number of clusters.  A malformed image can declare a
total sector count smaller than data_start, causing the subtraction to
underflow and the mount code to derive a plausible cluster count from the
FAT length instead.

Reject such images before the subtraction.  In QEMU, a crafted FAT image
with total_sectors=2 and data_start=3 mounted successfully before the fix
and reading a file returned bytes stored past the BPB-declared end of the
volume.  With this change, the same image is rejected during mount.

Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260605155216.2126545-1-sam.moelius@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/fs/fat/inode.c b/fs/fat/inode.c
index b032bbc6855cb2bf23f1f2f3cc5d5e4a40f51fba..3aa52481ad5cf321198e215776dab60e283fd8dc 100644 (file)
--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc,
        if (total_sectors == 0)
                total_sectors = bpb.fat_total_sect;
 
+       if (total_sectors < sbi->data_start) {
+               if (!silent)
+                       fat_msg(sb, KERN_ERR,
+                               "data area starts beyond volume (%lu > %u)",
+                               sbi->data_start, total_sectors);
+               goto out_invalid;
+       }
+
        total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus;
 
        if (!is_fat32(sbi))