From: Eric Biggers Date: Tue, 10 Sep 2024 17:52:59 +0000 (-0700) Subject: dm-integrity: check mac_size against HASH_MAX_DIGESTSIZE in sb_mac() X-Git-Tag: v6.12-rc1~30^2~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c2010bccc0ce012f52de18ebd0c3add241f75b8;p=thirdparty%2Fkernel%2Flinux.git dm-integrity: check mac_size against HASH_MAX_DIGESTSIZE in sb_mac() sb_mac() verifies that the superblock + MAC don't exceed 512 bytes. Because the superblock is currently 64 bytes, this really verifies mac_size <= 448. This confuses smatch into thinking that mac_size may be as large as 448, which is inconsistent with the later code that assumes the MAC fits in a buffer of size HASH_MAX_DIGESTSIZE (64). In fact mac_size <= HASH_MAX_DIGESTSIZE is guaranteed by the crypto API, as that is the whole point of HASH_MAX_DIGESTSIZE. But, let's be defensive and explicitly check for this. This suppresses the false positive smatch warning. It does not fix an actual bug. Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202409061401.44rtN1bh-lkp@intel.com/ Signed-off-by: Eric Biggers Signed-off-by: Mikulas Patocka --- diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index c40df05e05211..42c9dc2ee0c06 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -494,7 +494,8 @@ static int sb_mac(struct dm_integrity_c *ic, bool wr) __u8 *sb = (__u8 *)ic->sb; __u8 *mac = sb + (1 << SECTOR_SHIFT) - mac_size; - if (sizeof(struct superblock) + mac_size > 1 << SECTOR_SHIFT) { + if (sizeof(struct superblock) + mac_size > 1 << SECTOR_SHIFT || + mac_size > HASH_MAX_DIGESTSIZE) { dm_integrity_io_error(ic, "digest is too long", -EINVAL); return -EINVAL; }