1. Patchew
  2. QEMU
  3. [PATCH 00/11] crypto: improve robustness of LUKS metadata validation
  4. View patch

[PATCH 03/11] crypto: enforce that key material doesn't overlap with LUKS header

Daniel P. Berrangé posted 11 patches 3 years, 5 months ago
Maintainers: "Daniel P. Berrangé" <berrange@redhat.com>
[PATCH 03/11] crypto: enforce that key material doesn't overlap with LUKS header
Posted by Daniel P. Berrangé 3 years, 5 months ago 
We already check that key material doesn't overlap between key slots,
and that it doesn't overlap with the payload. We didn't check for
overlap with the LUKS header.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/block-luks.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 81744e2a8e..6ef9a89ffa 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -595,6 +595,14 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
             return -1;
         }
 
+        if (start1 < DIV_ROUND_UP(sizeof(QCryptoBlockLUKSHeader),
+                                  QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
+            error_setg(errp,
+                       "Keyslot %zu is overlapping with the LUKS header",
+                       i);
+            return -1;
+        }
+
         if (start1 + len1 > luks->header.payload_offset_sector) {
             error_setg(errp,
                        "Keyslot %zu is overlapping with the encrypted payload",
-- 
2.37.2

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.