libblkid: fix integer overflow in linux_raid checksum size

The checksum size calculation uses on-disk max_dev (uint32_t) multiplied
by sizeof(dev_roles[0]).  On 32-bit systems, this overflows size_t,
resulting in a truncated buffer and checksum computed over wrong data,
potentially allowing crafted images to bypass validation.

Fix by computing in uint64_t.  Note that blkid_probe_get_buffer() has
a hardcoded 8 MiB limit, so unreasonably large (but non-overflowed)
values are still safely rejected.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libblkid/src/superblocks/linux_raid.c b/libblkid/src/superblocks/linux_raid.c
index 156b0bf488609f0bf96019ae99bfe519241df367..cc5539005da1a8b84e21119181be217d5c19b028 100644 (file)
--- a/libblkid/src/superblocks/linux_raid.c
+++ b/libblkid/src/superblocks/linux_raid.c
@@ -185,8 +185,8 @@ static int probe_raid0(blkid_probe pr, uint64_t off)
 static int raid1_verify_csum(blkid_probe pr, off_t off,
                const struct mdp1_super_block *mdp1)
 {
-       size_t csummed_size = sizeof(struct mdp1_super_block)
-               + le32_to_cpu(mdp1->max_dev) * sizeof(mdp1->dev_roles[0]);
+       uint64_t csummed_size = sizeof(struct mdp1_super_block)
+               + (uint64_t) le32_to_cpu(mdp1->max_dev) * sizeof(mdp1->dev_roles[0]);
        const unsigned char *csummed = blkid_probe_get_buffer(pr, off, csummed_size);
        if (!csummed)
                return 1;