d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

msdosfs: sanity check sector count from BPB

Browse Source 
We use sector count to size the FAT inuse bitset.  If sector count is
corrupted, kernel might be tricked into doing unbound allocation.
Ensure that the sector count does not exceed the actual volume size.

In collaboration with:	pho
Reviewed by:	markj, mckusick
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D33721
This commit is contained in:
Konstantin Belousov 2021-12-30 21:45:40 +02:00
parent 65990b68a2
commit ba2c98389b
1 changed files with 12 additions and 0 deletions

12
sys/fs/msdosfs/msdosfs_vfsops.c

@ -558,6 +558,14 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp)
}
pmp->pm_HugeSectors *= pmp->pm_BlkPerSec;
if ((off_t)pmp->pm_HugeSectors * pmp->pm_BytesPerSec <
pmp->pm_HugeSectors /* overflow */ ||
(off_t)pmp->pm_HugeSectors * pmp->pm_BytesPerSec >
cp->provider->mediasize /* past end of vol */) {
error = EINVAL;
goto error_exit;
}
pmp->pm_HiddenSects *= pmp->pm_BlkPerSec; /* XXX not used? */
pmp->pm_FATsecs *= pmp->pm_BlkPerSec;
SecPerClust *= pmp->pm_BlkPerSec;
@ -577,6 +585,10 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp)
pmp->pm_firstcluster = pmp->pm_rootdirblk + pmp->pm_rootdirsize;
}
if (pmp->pm_HugeSectors <= pmp->pm_firstcluster) {
error = EINVAL;
goto error_exit;
}
pmp->pm_maxcluster = (pmp->pm_HugeSectors - pmp->pm_firstcluster) /
SecPerClust + 1;
pmp->pm_fatsize = pmp->pm_FATsecs * DEV_BSIZE; /* XXX not used? */