From: TristanInSec <tristan.mtn@gmail.com>
Date: Mon, 18 May 2026 17:30:02 +0000 (-0400)
Subject: dissect: guard against ssize_t overflow in LUKS2 header parser
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08c281304cd6fd7bf20f5eb7aaa81c7ee4283b0c;p=thirdparty%2Fsystemd.git

dissect: guard against ssize_t overflow in LUKS2 header parser

The json_len variable is ssize_t, but the subtraction
be64toh(header.hdr_len) - LUKS2_FIXED_HDR_SIZE can yield a value
exceeding SSIZE_MAX when hdr_len is a large crafted value. This causes
signed integer overflow and a subsequent oversized malloc() that fails
with -ENOMEM, producing a misleading out-of-memory error.

Add an explicit check against SSIZE_MAX before the cast to ssize_t.
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index c5bb52b2afe..3aeb254fd4d 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -446,6 +446,9 @@ static int partition_is_luks2_integrity(int part_fd, uint64_t offset, uint64_t s
         if (be64toh(header.hdr_len) <= LUKS2_FIXED_HDR_SIZE || offset > UINT64_MAX - be64toh(header.hdr_len))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid LUKS header length: %" PRIu64 ".", be64toh(header.hdr_len));
 
+        if (be64toh(header.hdr_len) - LUKS2_FIXED_HDR_SIZE > (uint64_t) SSIZE_MAX)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "LUKS header JSON area too large: %" PRIu64 ".", be64toh(header.hdr_len));
+
         json_len = be64toh(header.hdr_len) - LUKS2_FIXED_HDR_SIZE;
         json = malloc(json_len + 1);
         if (!json)