diff mbox series

fs-verity: fix signed integer overflow with i_size near S64_MAX

Message ID 20210916203424.113376-1-ebiggers@kernel.org
State New
Headers show
Series fs-verity: fix signed integer overflow with i_size near S64_MAX | expand

Commit Message

Eric Biggers Sept. 16, 2021, 8:34 p.m. UTC 
From: Eric Biggers <ebiggers@google.com>

If the file size is almost S64_MAX, the calculated number of Merkle tree
levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to
fail.  This is unintentional, since as the comment above the definition
of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of
data using SHA-256 and 4K blocks.  (Specifically, 4096*128**8 >= 2**64.)

The bug is actually that when the number of blocks in the first level is
calculated from i_size, there is a signed integer overflow due to i_size
being signed.  Fix this by treating i_size is unsigned.

This was found by the new test "generic: test fs-verity EFBIG scenarios"
(https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).

This didn't affect ext4 or f2fs since those have a smaller maximum file
size, but it did affect btrfs which allows files up to S64_MAX bytes.

Reported-by: Boris Burkov <boris@bur.io>
Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
Cc: <stable@vger.kernel.org> # v5.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/verity/enable.c | 2 +-
 fs/verity/open.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Boris Burkov Sept. 22, 2021, 5:22 p.m. UTC | #1 
On Thu, Sep 16, 2021 at 01:34:24PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>

> 

> If the file size is almost S64_MAX, the calculated number of Merkle tree

> levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to

> fail.  This is unintentional, since as the comment above the definition

> of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of

> data using SHA-256 and 4K blocks.  (Specifically, 4096*128**8 >= 2**64.)

> 

> The bug is actually that when the number of blocks in the first level is

> calculated from i_size, there is a signed integer overflow due to i_size

> being signed.  Fix this by treating i_size is unsigned.

> 

> This was found by the new test "generic: test fs-verity EFBIG scenarios"

> (https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).

> 

> This didn't affect ext4 or f2fs since those have a smaller maximum file

> size, but it did affect btrfs which allows files up to S64_MAX bytes.

> 

> Reported-by: Boris Burkov <boris@bur.io>

> Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")

> Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")

> Cc: <stable@vger.kernel.org> # v5.4+

> Signed-off-by: Eric Biggers <ebiggers@google.com>


Ah good catch! I'll update the test to not work around it.

Reviewed-by: Boris Burkov <boris@bur.io>


> ---

>  fs/verity/enable.c | 2 +-

>  fs/verity/open.c   | 2 +-

>  2 files changed, 2 insertions(+), 2 deletions(-)

> 

> diff --git a/fs/verity/enable.c b/fs/verity/enable.c

> index 77e159a0346b1..60a4372aa4d75 100644

> --- a/fs/verity/enable.c

> +++ b/fs/verity/enable.c

> @@ -177,7 +177,7 @@ static int build_merkle_tree(struct file *filp,

>  	 * (level 0) and ascending to the root node (level 'num_levels - 1').

>  	 * Then at the end (level 'num_levels'), calculate the root hash.

>  	 */

> -	blocks = (inode->i_size + params->block_size - 1) >>

> +	blocks = ((u64)inode->i_size + params->block_size - 1) >>

>  		 params->log_blocksize;

>  	for (level = 0; level <= params->num_levels; level++) {

>  		err = build_merkle_tree_level(filp, level, blocks, params,

> diff --git a/fs/verity/open.c b/fs/verity/open.c

> index 60ff8af7219fe..92df87f5fa388 100644

> --- a/fs/verity/open.c

> +++ b/fs/verity/open.c

> @@ -89,7 +89,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,

>  	 */

>  

>  	/* Compute number of levels and the number of blocks in each level */

> -	blocks = (inode->i_size + params->block_size - 1) >> log_blocksize;

> +	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;

>  	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);

>  	while (blocks > 1) {

>  		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {

> -- 

> 2.33.0

>
diff mbox series

Patch

diff --git a/fs/verity/enable.c b/fs/verity/enable.c
index 77e159a0346b1..60a4372aa4d75 100644
--- a/fs/verity/enable.c
+++ b/fs/verity/enable.c
@@ -177,7 +177,7 @@  static int build_merkle_tree(struct file *filp,
 	 * (level 0) and ascending to the root node (level 'num_levels - 1').
 	 * Then at the end (level 'num_levels'), calculate the root hash.
 	 */
-	blocks = (inode->i_size + params->block_size - 1) >>
+	blocks = ((u64)inode->i_size + params->block_size - 1) >>
 		 params->log_blocksize;
 	for (level = 0; level <= params->num_levels; level++) {
 		err = build_merkle_tree_level(filp, level, blocks, params,
diff --git a/fs/verity/open.c b/fs/verity/open.c
index 60ff8af7219fe..92df87f5fa388 100644
--- a/fs/verity/open.c
+++ b/fs/verity/open.c
@@ -89,7 +89,7 @@  int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
 	 */
 
 	/* Compute number of levels and the number of blocks in each level */
-	blocks = (inode->i_size + params->block_size - 1) >> log_blocksize;
+	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
 	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
 	while (blocks > 1) {
 		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {