dm-integrity: check mac_size against HASH_MAX_DIGESTSIZE in sb_mac()

sb_mac() verifies that the superblock + MAC don't exceed 512 bytes.
Because the superblock is currently 64 bytes, this really verifies
mac_size <= 448.  This confuses smatch into thinking that mac_size may
be as large as 448, which is inconsistent with the later code that
assumes the MAC fits in a buffer of size HASH_MAX_DIGESTSIZE (64).

In fact mac_size <= HASH_MAX_DIGESTSIZE is guaranteed by the crypto API,
as that is the whole point of HASH_MAX_DIGESTSIZE.  But, let's be
defensive and explicitly check for this.  This suppresses the false
positive smatch warning.  It does not fix an actual bug.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202409061401.44rtN1bh-lkp@intel.com/
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>

diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index c40df05e05211dba50e2e42d599b1ee399aa0bd0..42c9dc2ee0c068541e11c4f654c9990a776de3d7 100644 (file)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -494,7 +494,8 @@ static int sb_mac(struct dm_integrity_c *ic, bool wr)
        __u8 *sb = (__u8 *)ic->sb;
        __u8 *mac = sb + (1 << SECTOR_SHIFT) - mac_size;
 
-       if (sizeof(struct superblock) + mac_size > 1 << SECTOR_SHIFT) {
+       if (sizeof(struct superblock) + mac_size > 1 << SECTOR_SHIFT ||
+           mac_size > HASH_MAX_DIGESTSIZE) {
                dm_integrity_io_error(ic, "digest is too long", -EINVAL);
                return -EINVAL;
        }