[PATCH 03/11] crypto: enforce that key material doesn't overlap with LUK

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 03/11] crypto: enforce that key material doesn't overlap with LUK

From:	Daniel P . Berrangé
Subject:	[PATCH 03/11] crypto: enforce that key material doesn't overlap with LUKS header
Date:	Tue, 6 Sep 2022 09:41:39 +0100

We already check that key material doesn't overlap between key slots,
and that it doesn't overlap with the payload. We didn't check for
overlap with the LUKS header.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/block-luks.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 81744e2a8e..6ef9a89ffa 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -595,6 +595,14 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS 
*luks, Error **errp)
             return -1;
         }
 
+        if (start1 < DIV_ROUND_UP(sizeof(QCryptoBlockLUKSHeader),
+                                  QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
+            error_setg(errp,
+                       "Keyslot %zu is overlapping with the LUKS header",
+                       i);
+            return -1;
+        }
+
         if (start1 + len1 > luks->header.payload_offset_sector) {
             error_setg(errp,
                        "Keyslot %zu is overlapping with the encrypted payload",
-- 
2.37.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 00/11] crypto: improve robustness of LUKS metadata validation, Daniel P . Berrangé, 2022/09/06
- [PATCH 02/11] crypto: enforce that LUKS stripes is always a fixed value, Daniel P . Berrangé, 2022/09/06
  - Re: [PATCH 02/11] crypto: enforce that LUKS stripes is always a fixed value, Richard W.M. Jones, 2022/09/06
- [PATCH 11/11] crypto: add test cases for many malformed LUKS header scenarios, Daniel P . Berrangé, 2022/09/06
- [PATCH 04/11] crypto: validate that LUKS payload doesn't overlap with header, Daniel P . Berrangé, 2022/09/06
  - Re: [PATCH 04/11] crypto: validate that LUKS payload doesn't overlap with header, Richard W.M. Jones, 2022/09/06
- [PATCH 09/11] crypto: quote algorithm names in error messages, Daniel P . Berrangé, 2022/09/06
- [PATCH 05/11] crypto: strengthen the check for key slots overlapping with LUKS header, Daniel P . Berrangé, 2022/09/06
- [PATCH 06/11] crypto: check that LUKS PBKDF2 iterations count is non-zero, Daniel P . Berrangé, 2022/09/06
  - Re: [PATCH 06/11] crypto: check that LUKS PBKDF2 iterations count is non-zero, Richard W.M. Jones, 2022/09/06
- [PATCH 03/11] crypto: enforce that key material doesn't overlap with LUKS header, Daniel P . Berrangé <=
- [PATCH 10/11] crypto: ensure LUKS tests run with GNUTLS crypto provider, Daniel P . Berrangé, 2022/09/06
- [PATCH 01/11] crypto: sanity check that LUKS header strings are NUL-terminated, Daniel P . Berrangé, 2022/09/06
  - Re: [PATCH 01/11] crypto: sanity check that LUKS header strings are NUL-terminated, Richard W.M. Jones, 2022/09/06
- [PATCH 07/11] crypto: split LUKS header definitions off into file, Daniel P . Berrangé, 2022/09/06
- [PATCH 08/11] crypto: split off helpers for converting LUKS header endianess, Daniel P . Berrangé, 2022/09/06
- Re: [PATCH 00/11] crypto: improve robustness of LUKS metadata validation, Richard W.M. Jones, 2022/09/06

Prev by Date: [PATCH 06/11] crypto: check that LUKS PBKDF2 iterations count is non-zero
Next by Date: [PATCH 10/11] crypto: ensure LUKS tests run with GNUTLS crypto provider
Previous by thread: Re: [PATCH 06/11] crypto: check that LUKS PBKDF2 iterations count is non-zero
Next by thread: [PATCH 10/11] crypto: ensure LUKS tests run with GNUTLS crypto provider
Index(es):
- Date
- Thread