summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel P. Berrangé2022-05-10 15:35:57 +0200
committerDaniel P. Berrangé2022-10-27 13:55:27 +0200
commit93569c373027c5c46e518e01c0c3e2d07fbb6890 (patch)
treee9b30a5a1ef84932442eedfc666e65bb31639e9f
parentcrypto: enforce that LUKS stripes is always a fixed value (diff)
downloadqemu-93569c373027c5c46e518e01c0c3e2d07fbb6890.tar.gz
qemu-93569c373027c5c46e518e01c0c3e2d07fbb6890.tar.xz
qemu-93569c373027c5c46e518e01c0c3e2d07fbb6890.zip
crypto: enforce that key material doesn't overlap with LUKS header
We already check that key material doesn't overlap between key slots, and that it doesn't overlap with the payload. We didn't check for overlap with the LUKS header. Reviewed-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-rw-r--r--crypto/block-luks.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 81744e2a8e..6ef9a89ffa 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -595,6 +595,14 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
return -1;
}
+ if (start1 < DIV_ROUND_UP(sizeof(QCryptoBlockLUKSHeader),
+ QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
+ error_setg(errp,
+ "Keyslot %zu is overlapping with the LUKS header",
+ i);
+ return -1;
+ }
+
if (start1 + len1 > luks->header.payload_offset_sector) {
error_setg(errp,
"Keyslot %zu is overlapping with the encrypted payload",