From: Samuel Moelius Date: Fri, 5 Jun 2026 15:52:15 +0000 (+0000) Subject: fat: reject BPB volumes whose data area starts beyond total sectors X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=5108f4765637bd0ac5ea2897dc7d537486a09885;p=thirdparty%2Fkernel%2Flinux.git fat: reject BPB volumes whose data area starts beyond total sectors fat_fill_super() subtracts sbi->data_start from the BPB total sector count before computing the number of clusters. A malformed image can declare a total sector count smaller than data_start, causing the subtraction to underflow and the mount code to derive a plausible cluster count from the FAT length instead. Reject such images before the subtraction. In QEMU, a crafted FAT image with total_sectors=2 and data_start=3 mounted successfully before the fix and reading a file returned bytes stored past the BPB-declared end of the volume. With this change, the same image is rejected during mount. Assisted-by: Codex:gpt-5.5-cyber-preview Link: https://lore.kernel.org/20260605155216.2126545-1-sam.moelius@trailofbits.com Signed-off-by: Samuel Moelius Acked-by: OGAWA Hirofumi Cc: Christian Brauner Signed-off-by: Andrew Morton --- diff --git a/fs/fat/inode.c b/fs/fat/inode.c index b032bbc6855c..3aa52481ad5c 100644 --- a/fs/fat/inode.c +++ b/fs/fat/inode.c @@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc, if (total_sectors == 0) total_sectors = bpb.fat_total_sect; + if (total_sectors < sbi->data_start) { + if (!silent) + fat_msg(sb, KERN_ERR, + "data area starts beyond volume (%lu > %u)", + sbi->data_start, total_sectors); + goto out_invalid; + } + total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus; if (!is_fat32(sbi))