Message ID | 20220906084147.1423045-4-berrange@redhat.com |
---|---|
State | New |
Headers | show |
Series | crypto: improve robustness of LUKS metadata validation | expand |
diff --git a/crypto/block-luks.c b/crypto/block-luks.c index 81744e2a8e..6ef9a89ffa 100644 --- a/crypto/block-luks.c +++ b/crypto/block-luks.c @@ -595,6 +595,14 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp) return -1; } + if (start1 < DIV_ROUND_UP(sizeof(QCryptoBlockLUKSHeader), + QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { + error_setg(errp, + "Keyslot %zu is overlapping with the LUKS header", + i); + return -1; + } + if (start1 + len1 > luks->header.payload_offset_sector) { error_setg(errp, "Keyslot %zu is overlapping with the encrypted payload",
We already check that key material doesn't overlap between key slots, and that it doesn't overlap with the payload. We didn't check for overlap with the LUKS header. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- crypto/block-luks.c | 8 ++++++++ 1 file changed, 8 insertions(+)