From be36160eaef8aced45adaefa9254989c4da21443 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Sat, 27 Jul 2024 12:48:50 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E4=B8=8D=E8=A7=A3=E5=8E=8B=20Signed-off-by?= =?UTF-8?q?:=20fundavid=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fs/verity/enable.c | 13 ++++++++++--- include/linux/code_sign.h | 5 +++-- include/uapi/linux/fsverity.h | 5 ++++- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/fs/verity/enable.c b/fs/verity/enable.c index ae6ddcea001c..078d2fde21e4 100644 --- a/fs/verity/enable.c +++ b/fs/verity/enable.c @@ -281,6 +281,11 @@ int fsverity_enable_with_descriptor(struct file *filp, struct fsverity_info *vi; int err; + if (vops == NULL) { + fsverity_err(inode, "current filesystem doesn't support fs-verity."); + return -ENOTTY; + } + /* Prepare the Merkle tree parameters */ err = fsverity_init_merkle_tree_params(¶ms, inode, desc->hash_algorithm, @@ -564,6 +569,8 @@ static int code_sign_init_descriptor(struct inode *inode, desc->data_size = cpu_to_le64(arg->data_size); desc->tree_offset = cpu_to_le64(arg->tree_offset); desc->cs_version = arg->cs_version; + desc->pgtypeinfo_size = cpu_to_le32(arg->pgtypeinfo_size); + desc->pgtypeinfo_off = cpu_to_le64(arg->pgtypeinfo_off); /* Get root hash if a Merkle tree carried in file */ if (!IS_INSIDE_TREE(desc)) @@ -605,9 +612,6 @@ int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) if (arg.version != 1) return -EINVAL; - if (arg.cs_version != 1) - return -EINVAL; - if (arg.__reserved1 || memchr_inv(arg.__reserved2, 0, sizeof(arg.__reserved2))) return -EINVAL; @@ -626,6 +630,9 @@ int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) return -EMSGSIZE; + + if (arg.pgtypeinfo_off > arg.data_size - arg.pgtypeinfo_size) + return -EINVAL; return check_file_and_enable_verity(filp, (struct fsverity_enable_arg *)&arg); } diff --git a/include/linux/code_sign.h b/include/linux/code_sign.h index f1d9ab91aa81..0e4f55742288 100644 --- a/include/linux/code_sign.h +++ b/include/linux/code_sign.h @@ -23,9 +23,10 @@ struct code_sign_descriptor { __u8 root_hash[64]; /* Merkle tree root hash */ __u8 salt[32]; /* salt prepended to each hashed block */ __u32 flags; - __u32 __reserved1; /* must be 0 */ + __u32 pgtypeinfo_size; /* size of page type info (in number of btis) */ __u64 tree_offset; /* merkle tree offset in file */ - __u8 __reserved2[127]; /* must be 0's */ + __u64 pgtypeinfo_off; /* offset of page type info */ + __u8 __reserved2[119]; /* must be 0's */ __u8 cs_version; /* code sign version */ __u8 signature[]; /* optional PKCS#7 signature */ }; diff --git a/include/uapi/linux/fsverity.h b/include/uapi/linux/fsverity.h index ae44df1b1d17..b5a820ad13c0 100644 --- a/include/uapi/linux/fsverity.h +++ b/include/uapi/linux/fsverity.h @@ -46,7 +46,10 @@ struct code_sign_enable_arg { __u32 sig_size; __u32 __reserved1; __u64 sig_ptr; - __u64 __reserved2[7]; + __u64 __reserved2[5]; + __u32 __reserved3; + __u32 pgtypeinfo_size; + __u64 pgtypeinfo_off; __u64 tree_offset; __u64 root_hash_ptr; __u64 data_size; -- Gitee From e113e1dbe3bd22b4c4044124876cb81824994be7 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Mon, 19 Aug 2024 16:26:05 +0800 Subject: [PATCH 2/2] check pgtpeinfo off Signed-off-by: fundavid --- fs/verity/enable.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/verity/enable.c b/fs/verity/enable.c index 078d2fde21e4..4412f3f1b296 100644 --- a/fs/verity/enable.c +++ b/fs/verity/enable.c @@ -630,8 +630,9 @@ int fsverity_ioctl_enable_code_sign(struct file *filp, const void __user *uarg) if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE) return -EMSGSIZE; - - if (arg.pgtypeinfo_off > arg.data_size - arg.pgtypeinfo_size) + + // when calc pgtypeinfo_size trans bit size to byte size + if (arg.pgtypeinfo_off > arg.data_size - arg.pgtypeinfo_size / 8) return -EINVAL; return check_file_and_enable_verity(filp, (struct fsverity_enable_arg *)&arg); -- Gitee