fat: reject BPB volumes whose data area starts beyond total sectors

[PATCH] fat: reject BPB volumes whose data area starts beyond total sectors

Posted by Samuel Moelius 2 days, 12 hours ago

fat_fill_super() subtracts sbi->data_start from the BPB total sector
count before computing the number of clusters.  A malformed image can
declare a total sector count smaller than data_start, causing the
subtraction to underflow and the mount code to derive a plausible
cluster count from the FAT length instead.

Reject such images before the subtraction.  In QEMU, a crafted FAT image
with total_sectors=2 and data_start=3 mounted successfully before the
fix and reading a file returned bytes stored past the BPB-declared end
of the volume.  With this change, the same image is rejected during
mount.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 fs/fat/inode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/fat/inode.c b/fs/fat/inode.c
index 28f78df086ef..168a278cc60c 100644
--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc,
 	if (total_sectors == 0)
 		total_sectors = bpb.fat_total_sect;
 
+	if (total_sectors < sbi->data_start) {
+		if (!silent)
+			fat_msg(sb, KERN_ERR,
+				"data area starts beyond volume (%lu > %u)",
+				sbi->data_start, total_sectors);
+		goto out_invalid;
+	}
+
 	total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus;
 
 	if (!is_fat32(sbi))
-- 
2.43.0