[PATCH] fs: fat: Perform sanity checks on getsize in get_fatent()
Tom Rini
trini at konsulko.com
Tue Dec 9 22:23:01 CET 2025
We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.
This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55
Signed-off-by: Tom Rini <trini at konsulko.com>
---
fs/fat/fat.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 89f2acbba1ef..9ce5df59f9ba 100644
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -216,6 +216,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
if (flush_dirty_fat_buffer(mydata) < 0)
return -1;
+ if (getsize > FATBUFBLOCKS) {
+ debug("getsize is too large for bufptr\n");
+ getsize = FATBUFBLOCKS;
+ }
+
if (disk_read(startblock, getsize, bufptr) < 0) {
debug("Error reading FAT blocks\n");
return ret;
--
2.43.0
More information about the U-Boot
mailing list