Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,91 +0,0 @@
|
|||||||
From 27c2157f4718030b19e2913fc3684268ffc74d11 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Wed, 22 Oct 2025 15:58:01 +0100
|
|
||||||
Subject: [PATCH 2/2] Fix handling of large metadata
|
|
||||||
|
|
||||||
Prevent metadata from being written beyond the gap between the LUKS
|
|
||||||
header and encrypted data. The overflow check now correctly validates
|
|
||||||
that the end position of new metadata does not exceed the hard limit,
|
|
||||||
preventing corruption of encrypted data.
|
|
||||||
|
|
||||||
Also add upfront size validation to reject metadata larger than the
|
|
||||||
total available space.
|
|
||||||
|
|
||||||
Fix: CVE-2025-11568
|
|
||||||
|
|
||||||
Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
|
||||||
---
|
|
||||||
libluksmeta.c | 13 +++++++++++--
|
|
||||||
test-luksmeta | 16 ++++++++++++++++
|
|
||||||
2 files changed, 27 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libluksmeta.c b/libluksmeta.c
|
|
||||||
index b653223..d2f7e42 100644
|
|
||||||
--- a/libluksmeta.c
|
|
||||||
+++ b/libluksmeta.c
|
|
||||||
@@ -69,8 +69,12 @@ checksum(lm_t lm)
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline bool
|
|
||||||
-overlap(const lm_t *lm, uint32_t start, size_t end)
|
|
||||||
+overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
|
|
||||||
{
|
|
||||||
+ /* Make sure the data fits the available area in the gap. */
|
|
||||||
+ if (end > hard_limit)
|
|
||||||
+ return true;
|
|
||||||
+
|
|
||||||
for (int i = 0; i < LUKS_NSLOTS; i++) {
|
|
||||||
const lm_slot_t *s = &lm->slots[i];
|
|
||||||
uint32_t e = s->offset + s->length;
|
|
||||||
@@ -90,8 +94,13 @@ find_gap(const lm_t *lm, uint32_t length, size_t size)
|
|
||||||
{
|
|
||||||
size = ALIGN(size, true);
|
|
||||||
|
|
||||||
+ /* Make sure the data is not larger than the total available
|
|
||||||
+ * area in the gap. */
|
|
||||||
+ if (length < size)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
|
|
||||||
- if (!overlap(lm, off, off + size))
|
|
||||||
+ if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
|
|
||||||
return off;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/test-luksmeta b/test-luksmeta
|
|
||||||
index f1e8b2e..884a33a 100755
|
|
||||||
--- a/test-luksmeta
|
|
||||||
+++ b/test-luksmeta
|
|
||||||
@@ -3,9 +3,12 @@
|
|
||||||
trap 'exit' ERR
|
|
||||||
|
|
||||||
export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
|
|
||||||
+export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
|
|
||||||
+
|
|
||||||
|
|
||||||
function onexit() {
|
|
||||||
rm -f $tmp
|
|
||||||
+ rm -f "${tmpdata}"
|
|
||||||
}
|
|
||||||
|
|
||||||
trap 'onexit' EXIT
|
|
||||||
@@ -50,3 +53,16 @@ echo hi | ./luksmeta save -s 0 -u 23149359-1b61-4803-b818-774ab730fbec -d $tmp
|
|
||||||
test "`./luksmeta load -s 0 -d $tmp`" == "hi"
|
|
||||||
./luksmeta init -n -f -d $tmp
|
|
||||||
! ./luksmeta load -s 0 -d $tmp
|
|
||||||
+
|
|
||||||
+# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
|
|
||||||
+./luksmeta init -f -d "${tmp}"
|
|
||||||
+dd bs=1024k count=1 </dev/zero >"${tmpdata}"
|
|
||||||
+! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
|
|
||||||
+
|
|
||||||
+# Additional test for CVE-2025-11568 boundary conditions.
|
|
||||||
+# Verify overflow protection with multiple existing slots at various offsets.
|
|
||||||
+./luksmeta init -f -d "${tmp}"
|
|
||||||
+echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
|
|
||||||
+echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
|
|
||||||
+dd bs=1024 count=900 </dev/zero >"${tmpdata}"
|
|
||||||
+! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
|
|
||||||
--
|
|
||||||
2.43.7
|
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: luksmeta
|
Name: luksmeta
|
||||||
Version: 9
|
Version: 9
|
||||||
Release: 4%{?dist}.1
|
Release: 4%{?dist}
|
||||||
Summary: Utility for storing small metadata in the LUKSv1 header
|
Summary: Utility for storing small metadata in the LUKSv1 header
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -9,12 +9,10 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version
|
|||||||
Patch0: luksmeta-9-tests.patch
|
Patch0: luksmeta-9-tests.patch
|
||||||
Patch1: Relax-content-tests-in-test-suite.patch
|
Patch1: Relax-content-tests-in-test-suite.patch
|
||||||
Patch2: 0001-Define-log-callback-function-to-use-with-libcryptset.patch
|
Patch2: 0001-Define-log-callback-function-to-use-with-libcryptset.patch
|
||||||
Patch3: 0002-Fix-handling-of-large-metadata.patch
|
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: asciidoc
|
BuildRequires: asciidoc
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: cryptsetup
|
|
||||||
BuildRequires: cryptsetup-devel
|
BuildRequires: cryptsetup-devel
|
||||||
Requires: lib%{name}%{?_isa} = %{version}-%{release}
|
Requires: lib%{name}%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
@ -69,10 +67,6 @@ make %{?_smp_mflags} check
|
|||||||
%{_libdir}/pkgconfig/luksmeta.pc
|
%{_libdir}/pkgconfig/luksmeta.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Nov 28 2025 Sergio Correia <scorreia@redhat.com> - 9-4.1
|
|
||||||
- Fix handling of large metadata
|
|
||||||
Resolves: RHEL-122138
|
|
||||||
|
|
||||||
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 9-4
|
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 9-4
|
||||||
- LUKSMeta now sets error level from libcryptsetup to CRYPT_LOG_ERROR, and
|
- LUKSMeta now sets error level from libcryptsetup to CRYPT_LOG_ERROR, and
|
||||||
this output is logged to stderr
|
this output is logged to stderr
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user