diff options
author | Eric Biggers <ebiggers@google.com> | 2023-03-27 21:15:05 -0700 |
---|---|---|
committer | Eric Biggers <ebiggers@google.com> | 2023-04-11 19:23:23 -0700 |
commit | 39049b69ec9fc125fa1f314165dcc86f72cb72ec (patch) | |
tree | f7551132981d66deaf709634edee1fd69c4c3147 /fs/verity | |
parent | 8eb8af4b3df5965dc65a24a32768043f39d82d59 (diff) | |
download | linux-39049b69ec9fc125fa1f314165dcc86f72cb72ec.tar.gz linux-39049b69ec9fc125fa1f314165dcc86f72cb72ec.tar.bz2 linux-39049b69ec9fc125fa1f314165dcc86f72cb72ec.zip |
fsverity: explicitly check for buffer overflow in build_merkle_tree()
The new Merkle tree construction algorithm is a bit fragile in that it
may overflow the 'root_hash' array if the tree actually generated does
not match the calculated tree parameters.
This should never happen unless there is a filesystem bug that allows
the file size to change despite deny_write_access(), or a bug in the
Merkle tree logic itself. Regardless, it's fairly easy to check for
buffer overflow here, so let's do so.
This is a robustness improvement only; this case is not currently known
to be reachable. I've added a Fixes tag anyway, since I recommend that
this be included in kernels that have the mentioned commit.
Fixes: 56124d6c87fd ("fsverity: support enabling with tree block size < PAGE_SIZE")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230328041505.110162-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Diffstat (limited to 'fs/verity')
-rw-r--r-- | fs/verity/enable.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/fs/verity/enable.c b/fs/verity/enable.c index 541c2a277c5c..bbec6f93172c 100644 --- a/fs/verity/enable.c +++ b/fs/verity/enable.c @@ -13,6 +13,7 @@ struct block_buffer { u32 filled; + bool is_root_hash; u8 *data; }; @@ -24,6 +25,14 @@ static int hash_one_block(struct inode *inode, struct block_buffer *next = cur + 1; int err; + /* + * Safety check to prevent a buffer overflow in case of a filesystem bug + * that allows the file size to change despite deny_write_access(), or a + * bug in the Merkle tree logic itself + */ + if (WARN_ON_ONCE(next->is_root_hash && next->filled != 0)) + return -EINVAL; + /* Zero-pad the block if it's shorter than the block size. */ memset(&cur->data[cur->filled], 0, params->block_size - cur->filled); @@ -97,6 +106,7 @@ static int build_merkle_tree(struct file *filp, } } buffers[num_levels].data = root_hash; + buffers[num_levels].is_root_hash = true; BUILD_BUG_ON(sizeof(level_offset) != sizeof(params->level_start)); memcpy(level_offset, params->level_start, sizeof(level_offset)); |