michael/u-boot
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fs: fat: Perform sanity checks on getsize in get_fatent()

Browse Source 
We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.

This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.

Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
Tom Rini
2025-12-09 15:23:01 -06:00
parent 1b3050dfc4
commit 87d85139a9
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
fs/fat/fat.c
View File

@@ -216,6 +216,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
if (flush_dirty_fat_buffer(mydata) < 0)
return -1;
if (getsize > FATBUFBLOCKS) {
debug("getsize is too large for bufptr\n");
getsize = FATBUFBLOCKS;
}
if (disk_read(startblock, getsize, bufptr) < 0) {
debug("Error reading FAT blocks\n");
return ret;