Check various number limits.

[platform/upstream/cryptsetup.git] / lib / verity / verity_hash.c

diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c
index b449d43..bfc82e0 100644 (file)
--- a/lib/verity/verity_hash.c
+++ b/lib/verity/verity_hash.c
@@ -26,10 +26,12 @@
 #include "verity.h"
 #include "internal.h"
 
+#define VERITY_MAX_LEVELS      63
+
 static unsigned get_bits_up(size_t u)
 {
        unsigned i = 0;
-       while ((1 << i) < u)
+       while ((1U << i) < u)
                i++;
        return i;
 }
@@ -37,7 +39,7 @@ static unsigned get_bits_up(size_t u)
 static unsigned get_bits_down(size_t u)
 {
        unsigned i = 0;
-       while ((u >> i) > 1)
+       while ((u >> i) > 1U)
                i++;
        return i;
 }
@@ -47,8 +49,10 @@ static int verify_zero(struct crypt_device *cd, FILE *wr, size_t bytes)
        char block[bytes];
        size_t i;
 
-       if (fread(block, bytes, 1, wr) != 1)
+       if (fread(block, bytes, 1, wr) != 1) {
+               log_dbg("EIO while reading spare area.");
                return -EIO;
+       }
        for (i = 0; i < bytes; i++)
                if (block[i]) {
                        log_err(cd, _("Spare area is not zeroed at position %" PRIu64 ".\n"),
@@ -84,6 +88,14 @@ out:
        return r;
 }
 
+static int mult_overflow(off_t *u, off_t b, size_t size)
+{
+       *u = (uint64_t)b * size;
+       if ((off_t)(*u / size) != b || (off_t)*u < 0 || (off_t)*u != *u)
+               return 1;
+       return 0;
+}
+
 static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
                                   off_t data_block, size_t data_block_size,
                                   off_t hash_block, size_t hash_block_size,
@@ -98,14 +110,26 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
        size_t hash_per_block = 1 << get_bits_down(hash_block_size / digest_size);
        size_t digest_size_full = 1 << get_bits_up(digest_size);
        off_t blocks_to_write = (blocks + hash_per_block - 1) / hash_per_block;
+       off_t seek_rd, seek_wr;
        size_t left_bytes;
-       int i, r;
+       unsigned i;
+       int r;
 
-       if (fseeko(rd, data_block * data_block_size, SEEK_SET))
+       if (mult_overflow(&seek_rd, data_block, data_block_size) ||
+           mult_overflow(&seek_wr, hash_block, hash_block_size)) {
+               log_err(cd, _("Device offset overflow.\n"));
+               return -EINVAL;
+       }
+
+       if (fseeko(rd, seek_rd, SEEK_SET)) {
+               log_dbg("Cannot seek to requested position in data device.");
                return -EIO;
+       }
 
-       if (wr && fseeko(wr, hash_block * hash_block_size, SEEK_SET))
+       if (wr && fseeko(wr, seek_wr, SEEK_SET)) {
+               log_dbg("Cannot seek to requested position in hash device.");
                return -EIO;
+       }
 
        memset(left_block, 0, hash_block_size);
        while (blocks_to_write--) {
@@ -114,8 +138,10 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
                        if (!blocks)
                                break;
                        blocks--;
-                       if (fread(data_buffer, data_block_size, 1, rd) != 1)
+                       if (fread(data_buffer, data_block_size, 1, rd) != 1) {
+                               log_dbg("Cannot read data device block.");
                                return -EIO;
+                       }
 
                        if (verify_hash_block(hash_name, version,
                                        calculated_digest, digest_size,
@@ -126,16 +152,20 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
                        if (!wr)
                                break;
                        if (verify) {
-                               if (fread(read_digest, digest_size, 1, wr) != 1)
+                               if (fread(read_digest, digest_size, 1, wr) != 1) {
+                                       log_dbg("Cannot read digest form hash device.");
                                        return -EIO;
+                               }
                                if (memcmp(read_digest, calculated_digest, digest_size)) {
                                        log_err(cd, _("Verification failed at position %" PRIu64 ".\n"),
                                                ftello(rd) - data_block_size);
                                        return -EPERM;
                                }
                        } else {
-                               if (fwrite(calculated_digest, digest_size, 1, wr) != 1)
+                               if (fwrite(calculated_digest, digest_size, 1, wr) != 1) {
+                                       log_dbg("Cannot write digest to hash device.");
                                        return -EIO;
+                               }
                        }
                        if (version == 0) {
                                left_bytes -= digest_size;
@@ -145,8 +175,10 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
                                                r = verify_zero(cd, wr, digest_size_full - digest_size);
                                                if (r)
                                                        return r;
-                                       } else if (fwrite(left_block, digest_size_full - digest_size, 1, wr) != 1)
+                                       } else if (fwrite(left_block, digest_size_full - digest_size, 1, wr) != 1) {
+                                               log_dbg("Cannot write spare area to hash device.");
                                                return -EIO;
+                                       }
                                }
                                left_bytes -= digest_size_full;
                        }
@@ -156,8 +188,10 @@ static int create_or_verify(struct crypt_device *cd, FILE *rd, FILE *wr,
                                r = verify_zero(cd , wr, left_bytes);
                                if (r)
                                        return r;
-                       } else if (fwrite(left_block, left_bytes, 1, wr) != 1)
+                       } else if (fwrite(left_block, left_bytes, 1, wr) != 1) {
+                               log_dbg("Cannot write remaining spare area to hash device.");
                                return -EIO;
+                       }
                }
        }
 
@@ -186,23 +220,34 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
        off_t hash_level_size[VERITY_MAX_LEVELS];
        off_t data_file_blocks, s;
        size_t hash_per_block, hash_per_block_bits;
-       uint64_t data_device_size;
+       off_t data_device_size = 0, hash_device_size = 0;
+       uint64_t dev_size;
        int levels, i, r;
 
-       log_dbg("Userspace hash %s %s, data device %s, data blocks %" PRIu64
+       log_dbg("Hash %s %s, data device %s, data blocks %" PRIu64
                ", hash_device %s, offset %" PRIu64 ".",
                verify ? "verification" : "creation", hash_name,
                data_device, data_blocks, hash_device, hash_position);
 
+       if (data_blocks < 0 || hash_position < 0) {
+               log_err(cd, _("Invalid size parameters for verity device.\n"));
+               return -EINVAL;
+       }
+
        if (!data_blocks) {
-               r = device_size(data_device, &data_device_size);
+               r = device_size(data_device, &dev_size);
                if (r < 0)
                        return r;
 
-               data_file_blocks = data_device_size / data_block_size;
+               data_file_blocks = dev_size / data_block_size;
        } else
                data_file_blocks = data_blocks;
 
+       if (mult_overflow(&data_device_size, data_blocks, data_block_size)) {
+               log_err(cd, _("Device offset overflow.\n"));
+               return -EINVAL;
+       }
+
        hash_per_block_bits = get_bits_down(hash_block_size / digest_size);
        hash_per_block = 1 << hash_per_block_bits;
        if (!hash_per_block_bits)
@@ -214,6 +259,7 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
                       (data_file_blocks - 1) >> (hash_per_block_bits * levels))
                        levels++;
        }
+       log_dbg("Using %d hash levels.", levels);
 
        if (levels > VERITY_MAX_LEVELS) {
                log_err(cd, _("Too many tree levels for verity volume.\n"));
@@ -229,12 +275,19 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
                if (hash_position + s < hash_position ||
                    (hash_position + s) < 0 ||
                    (hash_position + s) != hash_position + s) {
-                       log_dbg("Hash device offset overflow.");
+                       log_err(cd, _("Device offset overflow.\n"));
                        return -EINVAL;
                }
                hash_position += s;
        }
 
+       if (mult_overflow(&hash_device_size, hash_position, hash_block_size)) {
+               log_err(cd, _("Device offset overflow.\n"));
+               return -EINVAL;
+       }
+
+       log_dbg("Data device size required: %" PRIu64 " bytes.",
+               data_device_size);
        data_file = fopen(data_device, "r");
        if (!data_file) {
                log_err(cd, _("Cannot open device %s.\n"), data_device);
@@ -242,6 +295,8 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
                goto out;
        }
 
+       log_dbg("Hash device size required: %" PRIu64 " bytes.",
+               hash_device_size);
        hash_file = fopen(hash_device, verify ? "r" : "r+");
        if (!hash_file) {
                log_err(cd, _("Cannot open device %s.\n"), hash_device);
@@ -263,6 +318,7 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
                } else {
                        hash_file_2 = fopen(hash_device, "r");
                        if (!hash_file_2) {
+                               log_err(cd, _("Cannot open device %s.\n"), hash_device);
                                r = -EIO;
                                goto out;
                        }
@@ -280,34 +336,38 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
        if (levels)
                r = create_or_verify(cd, hash_file, NULL,
                                            hash_level_block[levels - 1], hash_block_size,
-                                           0, 0,
+                                           0, hash_block_size,
                                            1, version, hash_name, verify,
                                            calculated_digest, digest_size, salt, salt_size);
        else
                r = create_or_verify(cd, data_file, NULL,
                                            0, data_block_size,
-                                           0, 0,
+                                           0, hash_block_size,
                                            data_file_blocks, version, hash_name, verify,
                                            calculated_digest, digest_size, salt, salt_size);
-
-       if (r == -EPERM) {
-               log_err(cd, _("Verification of data area failed.\n"));
-               goto out;
-       } else if (!r)
-               log_dbg("Verification of data area succeeded.");
-
-       /* root hash verification */
+out:
        if (verify) {
-               r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0;
                if (r)
-                       log_err(cd, _("Verification of root hash failed.\n"));
-               else
-                       log_dbg("Verification of root hash succeeded.");
+                       log_err(cd, _("Verification of data area failed.\n"));
+               else {
+                       log_dbg("Verification of data area succeeded.");
+                       r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0;
+                       if (r)
+                               log_err(cd, _("Verification of root hash failed.\n"));
+                       else
+                               log_dbg("Verification of root hash succeeded.");
+               }
        } else {
-               fsync(fileno(hash_file));
-               memcpy(root_hash, calculated_digest, digest_size);
+               if (r == -EIO)
+                       log_err(cd, _("Input/output error while creating hash area.\n"));
+               else if (r)
+                       log_err(cd, _("Creation of hash area failed.\n"));
+               else {
+                       fsync(fileno(hash_file));
+                       memcpy(root_hash, calculated_digest, digest_size);
+               }
        }
-out:
+
        if (data_file)
                fclose(data_file);
        if (hash_file)
@@ -324,7 +384,7 @@ int VERITY_verify(struct crypt_device *cd,
                  size_t root_hash_size)
 {
        return VERITY_create_or_verify_hash(cd, 1,
-               verity_hdr->version,
+               verity_hdr->hash_type,
                verity_hdr->hash_name,
                hash_device,
                data_device,
@@ -346,18 +406,17 @@ int VERITY_create(struct crypt_device *cd,
                  char *root_hash,
                  size_t root_hash_size)
 {
-       int pgsize = crypt_getpagesize();
+       unsigned pgsize = crypt_getpagesize();
 
-       if (verity_hdr->salt_size > VERITY_MAX_SALT_SIZE)
+       if (verity_hdr->salt_size > 256)
                return -EINVAL;
 
-       if (verity_hdr->hash_block_size > pgsize ||
-           verity_hdr->data_block_size > pgsize)
-               log_err(cd, _("WARNING: Kernel cannot activate device if block "
-                             "size exceeds page size (%u).\n"), pgsize);
+       if (verity_hdr->data_block_size > pgsize)
+               log_err(cd, _("WARNING: Kernel cannot activate device if data "
+                             "block size exceeds page size (%u).\n"), pgsize);
 
        return VERITY_create_or_verify_hash(cd, 0,
-               verity_hdr->version,
+               verity_hdr->hash_type,
                verity_hdr->hash_name,
                hash_device,
                data_device,