From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A51AF330666 for ; Sun, 28 Jun 2026 22:01:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782684106; cv=none; b=jus1sLrYoJ7neHujuzSsvgnS5a/sjjw4Yu7FqOk4onzW5T6eQGYmzjQOHEq0+eSHqPwomkO8qe0h42wbrdZx8sCK/kU7kt3lpz1Ua3pDnmmCrXUjI5YXwezVUFtO2kYcvGr5VOx2OK5BGEsx/ulLE25awAETz2hHSw2T/92xk+8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782684106; c=relaxed/simple; bh=8sLh+H5o+Sx3oUztJBEmawwB06LoCVZza+gD8APiIls=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nGUGMfP82BNzOPvcVKLDtc/2jQVeV0qywpjKc7W4vSpLItr4g596hVrR2ja7IBqaMEKaaFJgQZGDhpN1QLF/CztmCjlNSpfMSXcSmEp6rVD7+MKLauLKiyZOa30B3AKBk1L4oFl/DR8RxbVNUhvgbXZlPzJlkIWxogo1ekx/fBY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=Wx/p13jY; arc=none smtp.client-ip=209.85.222.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="Wx/p13jY" Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-92dd78e97cbso139148885a.1 for ; Sun, 28 Jun 2026 15:01:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1782684104; x=1783288904; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4359dRACDfhBJPDC4ddhDDO8jXj3UoHj4Fuh1Ejp/G4=; b=Wx/p13jYGSAIYPeHHTuKywmL8bnwzq2+gHNxhoa3R68V1fEeygaL4hE7V2aN8KMcI4 ynMLqR2poz4ztU9iGJ0B8I97ANtTSgs97W3n8jxUMaklXctEYZQhDmcWCGsWhgOA8iv3 NRAcbDAoGSY/Qw54JIvKCjYJri7HQLGxhMFgS36se8G6gcctCgRGkLzYuUny7LgdXoAq jLbwpSDQ5+SxavFulwAYpXCb8lOYchZYSEnUjKgaOgAN2VpFZnnyRZmb/pVH0tjed61s HSqj2L/3FIT/h+BwzYSdtchsIvGTBlvQnxJmItvgGhga+vSz6LMGp8CTIMH37WPifdyS ud0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782684104; x=1783288904; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4359dRACDfhBJPDC4ddhDDO8jXj3UoHj4Fuh1Ejp/G4=; b=Vk638/qi6Z+qYsRpeunbf0kMEngHxVJyPOZfgHShpqSWUpKXCfdoVwhZVk5YZX5uJe XAZXnJFd99+X9d9v1fWl4A8J/XBLzEax2AvmWnwaVyr8ZpM4dcXShgm44o+xXTX+JfnP Ax3VYublU83Q8exYaxBACJbvKjpl0AboyAQmu8ltbWJLiMzuA/kCqI2sBXXQ1FgINBNS UpBp21e8xo5zdSgW5/3UlEPqHmBOqeMc7i4iQb4Ff4YKjAbUPeEide9YIeHOgAxmPlDf aSgT5JF1z4U0lDtS87UEncOykNBpLPW+cCAWV1yemDSsVDsf06HFmRZTq3updH/EbQe3 GXzQ== X-Forwarded-Encrypted: i=1; AFNElJ+qZvz/hgQ1AHVfvPY81cW8YGJgyGiAzGlFe+jfnlyxJ+ERW6tSnUUsmKOEhPsXZWbVISvYwmZfOeDfxmQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyOVqXgfrGcAG9Q9asHSZWk07WiqHCXPdnZzdoOXiL0smn9EOW7 UHRgbXgpyOd5dN9T/gOYsPBH6pBibM7z5YZ5zl+2+ViVL7dT/XeLxIUZx+r5ZASbNQn0hSfbgGO vVJ5yOP4= X-Gm-Gg: AfdE7cmicBfNDFWvZ25XX88xQtXo3tQO3UANQnhGs/gShL90BVIevVChlhaKBem9r9v Vg5QwdEQpLqWKQAhVE1H6faylUlpWG3xpm8IQNTgx87uBHKKuydTUxnxru6Re/25gFrA5skFwAz 9I3lhPY1xkQj6sALT0d76KfVdl0vk3h9CL/GpJknBaIRAhef79ai2pIZUWrM9OCnU1V3DCoXz1x szPivvKxpuoclobBxsadGidt6zMaPJr3QkaxTuOcQjYyKk7UsqF4Hdh35U5oIULNkH7mUL/6aRm 2lz0qyd3pQndGTdjEd+duEPB/YTYvNWkTmOqYyOOh1sufzgSwHWxQFGweFFKKYBgsTfKYySlUHQ /3e5xFGnOCS+yR1Ydz64qY2UM7Bg68zZieNbKZQYeDkOniTa1IhYDpZoz/qavjpByYKICflQoD8 DERiJmMosrTXmMCB4m X-Received: by 2002:a05:620a:2552:b0:915:efa6:d718 with SMTP id af79cd13be357-9293cade740mr2423656785a.47.1782684101037; Sun, 28 Jun 2026 15:01:41 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id af79cd13be357-9260079070bsm1923658485a.40.2026.06.28.15.01.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 28 Jun 2026 15:01:39 -0700 (PDT) From: Samuel Moelius To: kees@kernel.org Cc: brauner@kernel.org, iwasbaeyz@gmail.com, linux-kernel@vger.kernel.org, rmk+kernel@armlinux.org.uk, sam.moelius@trailofbits.com, viro@zeniv.linux.org.uk Subject: [PATCH v2 1/2] adfs: reject disc records smaller than one filesystem block Date: Sun, 28 Jun 2026 22:01:25 +0000 Message-ID: <20260628220126.94212-2-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260628220126.94212-1-sam.moelius@trailofbits.com> References: <202606101323.0DFB06B054@keescook> <20260628220126.94212-1-sam.moelius@trailofbits.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ADFS uses the on-disk disc size to report statfs block counts. The disc record validator checks the sector size, id length, high disc-size bits, map zone count, and reserved bytes, but it accepts a declared disc size smaller than one filesystem block. A crafted one-zone image with log2secsize 9 and disc_size 1 can pass map checksum validation and mount. A subsequent statfs then reports zero f_blocks from adfs_map_statfs(), and adfs_statfs() divides by that zero while deriving f_ffree. Reject disc records whose declared disc size is smaller than one filesystem block. Assisted-by: Codex:gpt-5.5-cyber-preview --- fs/adfs/super.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/adfs/super.c b/fs/adfs/super.c index a4cd0a5159dd..cb8f3919e3bb 100644 --- a/fs/adfs/super.c +++ b/fs/adfs/super.c @@ -73,6 +73,10 @@ static int adfs_checkdiscrecord(struct adfs_discrecord *dr) if (le32_to_cpu(dr->disc_size_high) >> dr->log2secsize) return 1; + /* disc size must contain at least one filesystem block */ + if (adfs_disc_size(dr) < (1ULL << dr->log2secsize)) + return 1; + /* * Maximum idlen is limited to 16 bits for new directories by * the three-byte storage of an indirect disc address. For -- 2.43.0