aboutsummaryrefslogtreecommitdiff
path: root/crypto
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2022-09-05 13:50:03 +0100
committerDaniel P. Berrangé <berrange@redhat.com>2022-10-27 12:55:27 +0100
commitd233fbc327d3f1f03bc30e0486b9ade3aa23f9ec (patch)
tree9c53221037e0f325e26bfce8abeeaa11d4feb420 /crypto
parent93569c373027c5c46e518e01c0c3e2d07fbb6890 (diff)
downloadqemu-d233fbc327d3f1f03bc30e0486b9ade3aa23f9ec.zip
qemu-d233fbc327d3f1f03bc30e0486b9ade3aa23f9ec.tar.gz
qemu-d233fbc327d3f1f03bc30e0486b9ade3aa23f9ec.tar.bz2
crypto: validate that LUKS payload doesn't overlap with header
We already validate that LUKS keyslots don't overlap with the header, or with each other. This closes the remaining hole in validation of LUKS file regions. Reviewed-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/block-luks.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 6ef9a89..f22bc63 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -572,6 +572,13 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
return -1;
}
+ if (luks->header.payload_offset_sector <
+ DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
+ QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
+ error_setg(errp, "LUKS payload is overlapping with the header");
+ return -1;
+ }
+
/* Check all keyslots for corruption */
for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {