From c2974dc2bf052758b4eea1f16336cee36724e9f7 Mon Sep 17 00:00:00 2001
From: lihehe <lihehao@huawei.com>
Date: Wed, 27 Sep 2023 17:57:55 +0800
Subject: [PATCH] verify data verity range in xpm

Signed-off-by: lihehe <lihehao@huawei.com>
Change-Id: I182cd07466bdbd71778763accfb6bd05a3b6ada6
---
 xpm/core/xpm_hck.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/xpm/core/xpm_hck.c b/xpm/core/xpm_hck.c
index faf8803..315640a 100644
--- a/xpm/core/xpm_hck.c
+++ b/xpm/core/xpm_hck.c
@@ -11,6 +11,7 @@
 #include <linux/dcache.h>
 #include <linux/sched/mm.h>
 #include <linux/hck/lite_hck_xpm.h>
+#include <linux/fsverity.h>
 #include "avc.h"
 #include "objsec.h"
 #include "xpm_hck.h"
@@ -73,6 +74,15 @@ static int xpm_check_code_segment(bool is_exec, struct vm_area_struct *vma,
 	vm_addr_start = vma->vm_pgoff << PAGE_SHIFT;
 	vm_addr_end = vm_addr_start + (vma->vm_end - vma->vm_start);
 
+#ifdef CONFIG_SECURITY_CODE_SIGN
+	if (exec_file_signature_is_fs_verity(info)) {
+		const struct inode *inode = (const struct inode *)info->inode;
+		if (fsverity_get_verified_data_size(inode) < vm_addr_end) {
+			goto out;
+		}
+	}
+#endif
+
 	for (i = 0; i < info->code_segment_count; i++) {
 		seg_addr_start = ALIGN_DOWN(segments[i].file_offset, PAGE_SIZE);
 		seg_addr_end = PAGE_ALIGN(segments[i].file_offset +
@@ -81,7 +91,7 @@ static int xpm_check_code_segment(bool is_exec, struct vm_area_struct *vma,
 			(vm_addr_end <= seg_addr_end))
 			return 0;
 	}
-
+out:
 	return xpm_avc_has_perm(SECCLASS_XPM, XPM__EXEC_NO_SIGN);
 }
 
-- 
Gitee