From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 9 Sep 2021 09:38:52 +0000 (+0200)
Subject: dissect-image: insist that if a verity partition designator is specified the partitio... 
X-Git-Tag: v250-rc1~701^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1903defc2d1d0163d73f467f08b105ebb0619b40;p=thirdparty%2Fsystemd.git

dissect-image: insist that if a verity partition designator is specified the partition exists

Let's tighten our checks further.
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 9547dad808f..a540f866896 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1401,22 +1401,28 @@ int dissect_image(
                         return -EADDRNOTAVAIL;
         }
 
-        if (verity && verity->root_hash) {
-                if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {
-                        if (!m->partitions[PARTITION_ROOT_VERITY].found || !m->partitions[PARTITION_ROOT].found)
-                                return -EADDRNOTAVAIL;
+        if (verity) {
+                /* If a verity designator is specified, then insist that the matching partition exists */
+                if (verity->designator >= 0 && !m->partitions[verity->designator].found)
+                        return -EADDRNOTAVAIL;
 
-                        /* If we found a verity setup, then the root partition is necessarily read-only. */
-                        m->partitions[PARTITION_ROOT].rw = false;
-                        m->verity_ready = true;
-                }
+                if (verity->root_hash) {
+                        if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {
+                                if (!m->partitions[PARTITION_ROOT_VERITY].found || !m->partitions[PARTITION_ROOT].found)
+                                        return -EADDRNOTAVAIL;
 
-                if (verity->designator == PARTITION_USR) {
-                        if (!m->partitions[PARTITION_USR_VERITY].found || !m->partitions[PARTITION_USR].found)
-                                return -EADDRNOTAVAIL;
+                                /* If we found a verity setup, then the root partition is necessarily read-only. */
+                                m->partitions[PARTITION_ROOT].rw = false;
+                                m->verity_ready = true;
+                        }
+
+                        if (verity->designator == PARTITION_USR) {
+                                if (!m->partitions[PARTITION_USR_VERITY].found || !m->partitions[PARTITION_USR].found)
+                                        return -EADDRNOTAVAIL;
 
-                        m->partitions[PARTITION_USR].rw = false;
-                        m->verity_ready = true;
+                                m->partitions[PARTITION_USR].rw = false;
+                                m->verity_ready = true;
+                        }
                 }
         }