]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
dm-verity: fix buffer overflow in FEC calculation
authorMikulas Patocka <mpatocka@redhat.com>
Wed, 1 Jul 2026 16:13:50 +0000 (18:13 +0200)
committerMikulas Patocka <mpatocka@redhat.com>
Wed, 8 Jul 2026 20:33:34 +0000 (22:33 +0200)
commit31d6e6c0ba8d5a7bd59660035a089307100c5e8e
tree341c8bbd73462f8fcf8c093b8299e23b52df0dc8
parenta868196f03c2b19418ae3d2b69e195d668a271e5
dm-verity: fix buffer overflow in FEC calculation

There's a buffer overflow in dm-verity-fec:

if (neras && *neras <= v->fec->roots)
fio->erasures[(*neras)++] = i;

This allows *neras to reach roots + 1 (the post-increment pushes it past
roots). This value is then passed as no_eras to decode_rs8(). Inside the
RS decoder (lib/reed_solomon/decode_rs.c:113-121), the erasure locator
polynomial loop writes lambda[j] where j can reach nroots + 1 — one
element past the end of lambda[] (which is sized nroots + 1, valid
indices 0..nroots). The out-of-bounds write lands on syn[0], corrupting
the syndrome buffer.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Cc: stable@vger.kernel.org
Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
drivers/md/dm-verity-fec.c
drivers/md/dm-verity-fec.h