fix buffer overflow in DiskAccess::read_exact_into

Freax13 · Freax13 · commit 18356dbbe5b7 · 2025-11-29T12:51:47.000+01:00
DiskAccess::read_exact_into did not work correctly if current_offset
wasn't aligned to 512 bytes.

For example, if self.current_offset is 3 and len is 1024:
- end_addr will be 3+1024=1027
- start_lba will be 3/512=0
- end_lba (1027-1)=2
read_exact_into would then read 3 (!) sectors with lbas 0, 1, and 2
even though the buffer can only hold 2 sectors (1024 bytes).

To fix this, only allow seeking to the start of a sector.
DiskAccess::read_exact_into works correctly if the offset is a multiple
of the sector size.

There were few uses of DiskAccess::seek that didn't seek to the start
of a sector. All those uses then use DiskAccess::read_exact to read
data at the offset. Unlike DiskAccess::read_exact_into,
DiskAccess::read_exact can already handle non-aligned offsets. To fix
the bad seek calls, we turn read_exact into a combined seek+offset
function that works for non-aligned offsets.
diff --git a/bios/stage-2/src/disk.rs b/bios/stage-2/src/disk.rs
@@ -8,8 +8,9 @@ pub struct DiskAccess {
 }
 
 impl Read for DiskAccess {
-    unsafe fn read_exact(&mut self, len: usize) -> &[u8] {
-        let current_sector_offset = usize::try_from(self.current_offset % 512).unwrap();
+    unsafe fn read_exact_at(&mut self, len: usize, offset: u64) -> &[u8] {
+        self.seek(SeekFrom::Start(offset - (offset % 512)));
+        let current_sector_offset = usize::try_from(offset % 512).unwrap();
 
         static mut TMP_BUF: AlignedArrayBuffer<1024> = AlignedArrayBuffer {
             buffer: [0; 512 * 2],
@@ -62,6 +63,7 @@ impl Seek for DiskAccess {
     fn seek(&mut self, pos: SeekFrom) -> u64 {
         match pos {
             SeekFrom::Start(offset) => {
+                assert_eq!(offset % 512, 0);
                 self.current_offset = offset;
                 self.current_offset
             }
@@ -70,7 +72,7 @@ impl Seek for DiskAccess {
 }
 
 pub trait Read {
-    unsafe fn read_exact(&mut self, len: usize) -> &[u8];
+    unsafe fn read_exact_at(&mut self, len: usize, offset: u64) -> &[u8];
     fn read_exact_into(&mut self, len: usize, buf: &mut dyn AlignedBuffer);
 }
 
diff --git a/bios/stage-2/src/fat.rs b/bios/stage-2/src/fat.rs
@@ -32,9 +32,8 @@ struct Bpb {
 }
 
 impl Bpb {
-    fn parse<D: Read + Seek>(disk: &mut D) -> Self {
-        disk.seek(SeekFrom::Start(0));
-        let raw = unsafe { disk.read_exact(512) };
+    fn parse<D: Read>(disk: &mut D) -> Self {
+        let raw = unsafe { disk.read_exact_at(512, 0) };
 
         let bytes_per_sector = u16::from_le_bytes(raw[11..13].try_into().unwrap());
         let sectors_per_cluster = raw[13];
@@ -256,7 +255,7 @@ struct Traverser<'a, D> {
 
 impl<D> Traverser<'_, D>
 where
-    D: Read + Seek,
+    D: Read,
 {
     fn next_cluster(&mut self) -> Result<Option<Cluster>, ()> {
         let entry = classify_fat_entry(
@@ -286,7 +285,7 @@ where
 
 impl<D> Iterator for Traverser<'_, D>
 where
-    D: Read + Seek,
+    D: Read,
 {
     type Item = Result<Cluster, ()>;
 
@@ -476,28 +475,25 @@ enum FileFatEntry {
 
 fn fat_entry_of_nth_cluster<D>(disk: &mut D, fat_type: FatType, fat_start: u64, n: u32) -> u32
 where
-    D: Seek + Read,
+    D: Read,
 {
     debug_assert!(n >= 2);
     match fat_type {
         FatType::Fat32 => {
             let base = n as u64 * 4;
-            disk.seek(SeekFrom::Start(fat_start + base));
-            let buf = unsafe { disk.read_exact(4) };
+            let buf = unsafe { disk.read_exact_at(4, fat_start + base) };
             let buf: [u8; 4] = buf.try_into().unwrap();
             u32::from_le_bytes(buf) & 0x0FFFFFFF
         }
         FatType::Fat16 => {
             let base = n as u64 * 2;
-            disk.seek(SeekFrom::Start(fat_start + base));
-            let buf = unsafe { disk.read_exact(2) };
+            let buf = unsafe { disk.read_exact_at(2, fat_start + base) };
             let buf: [u8; 2] = buf.try_into().unwrap();
             u16::from_le_bytes(buf) as u32
         }
         FatType::Fat12 => {
             let base = n as u64 + (n as u64 / 2);
-            disk.seek(SeekFrom::Start(fat_start + base));
-            let buf = unsafe { disk.read_exact(2) };
+            let buf = unsafe { disk.read_exact_at(2, fat_start + base) };
             let buf: [u8; 2] = buf.try_into().unwrap();
             let entry16 = u16::from_le_bytes(buf);
             if n & 1 == 0 {

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,9 @@ pub struct DiskAccess {`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`impl Read for DiskAccess {`
`11`		`- unsafe fn read_exact(&mut self, len: usize) -> &[u8] {`
`12`		`- let current_sector_offset = usize::try_from(self.current_offset % 512).unwrap();`
	`11`	`+ unsafe fn read_exact_at(&mut self, len: usize, offset: u64) -> &[u8] {`
	`12`	`+ self.seek(SeekFrom::Start(offset - (offset % 512)));`
	`13`	`+ let current_sector_offset = usize::try_from(offset % 512).unwrap();`
`13`	`14`
`14`	`15`	`static mut TMP_BUF: AlignedArrayBuffer<1024> = AlignedArrayBuffer {`
`15`	`16`	`buffer: [0; 512 * 2],`
`@@ -62,6 +63,7 @@ impl Seek for DiskAccess {`
`62`	`63`	`fn seek(&mut self, pos: SeekFrom) -> u64 {`
`63`	`64`	`match pos {`
`64`	`65`	`SeekFrom::Start(offset) => {`
	`66`	`+ assert_eq!(offset % 512, 0);`
`65`	`67`	`self.current_offset = offset;`
`66`	`68`	`self.current_offset`
`67`	`69`	`}`
`@@ -70,7 +72,7 @@ impl Seek for DiskAccess {`
`70`	`72`	`}`
`71`	`73`
`72`	`74`	`pub trait Read {`
`73`		`- unsafe fn read_exact(&mut self, len: usize) -> &[u8];`
	`75`	`+ unsafe fn read_exact_at(&mut self, len: usize, offset: u64) -> &[u8];`
`74`	`76`	`fn read_exact_into(&mut self, len: usize, buf: &mut dyn AlignedBuffer);`
`75`	`77`	`}`
`76`	`78`