[merged mm-nonmm-stable] fat-reject-bpb-volumes-whose-data-area-starts-beyond-total-sectors.patch removed from -mm tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* [merged mm-nonmm-stable] fat-reject-bpb-volumes-whose-data-area-starts-beyond-total-sectors.patch removed from -mm tree
@ 2026-06-17 22:38 Andrew Morton
  0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-06-17 22:38 UTC (permalink / raw)
  To: mm-commits, hirofumi, brauner, sam.moelius, akpm


The quilt patch titled
     Subject: fat: reject BPB volumes whose data area starts beyond total sectors
has been removed from the -mm tree.  Its filename was
     fat-reject-bpb-volumes-whose-data-area-starts-beyond-total-sectors.patch

This patch was dropped because it was merged into the mm-nonmm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------
From: Samuel Moelius <sam.moelius@trailofbits.com>
Subject: fat: reject BPB volumes whose data area starts beyond total sectors
Date: Fri, 5 Jun 2026 15:52:15 +0000

fat_fill_super() subtracts sbi->data_start from the BPB total sector count
before computing the number of clusters.  A malformed image can declare a
total sector count smaller than data_start, causing the subtraction to
underflow and the mount code to derive a plausible cluster count from the
FAT length instead.

Reject such images before the subtraction.  In QEMU, a crafted FAT image
with total_sectors=2 and data_start=3 mounted successfully before the fix
and reading a file returned bytes stored past the BPB-declared end of the
volume.  With this change, the same image is rejected during mount.

Assisted-by: Codex:gpt-5.5-cyber-preview
Link: https://lore.kernel.org/20260605155216.2126545-1-sam.moelius@trailofbits.com
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/fat/inode.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/fat/inode.c~fat-reject-bpb-volumes-whose-data-area-starts-beyond-total-sectors
+++ a/fs/fat/inode.c
@@ -1738,6 +1738,14 @@ int fat_fill_super(struct super_block *s
 	if (total_sectors == 0)
 		total_sectors = bpb.fat_total_sect;
 
+	if (total_sectors < sbi->data_start) {
+		if (!silent)
+			fat_msg(sb, KERN_ERR,
+				"data area starts beyond volume (%lu > %u)",
+				sbi->data_start, total_sectors);
+		goto out_invalid;
+	}
+
 	total_clusters = (total_sectors - sbi->data_start) / sbi->sec_per_clus;
 
 	if (!is_fat32(sbi))
_

Patches currently in -mm which might be from sam.moelius@trailofbits.com are

mm-page_frag-reject-invalid-cpus-in-page_frag_test.patch
mm-gup_test-reject-wrapped-user-ranges.patch


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-17 22:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 22:38 [merged mm-nonmm-stable] fat-reject-bpb-volumes-whose-data-area-starts-beyond-total-sectors.patch removed from -mm tree Andrew Morton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.