|
|
@@ -0,0 +1,82 @@
|
|
|
+Subject: Fix handling of large metadata
|
|
|
+ID: CVE-2025-11568
|
|
|
+Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
|
|
|
+Author: Sergio Correia <scorreia@redhat.com>
|
|
|
+Date: Wed Oct 22 15:58:01 2025 +0100
|
|
|
+Bug-Debian: https://bugs.debian.org/111828
|
|
|
+
|
|
|
+ Prevent metadata from being written beyond the gap between the LUKS
|
|
|
+ header and encrypted data. The overflow check now correctly validates
|
|
|
+ that the end position of new metadata does not exceed the hard limit,
|
|
|
+ preventing corruption of encrypted data.
|
|
|
+
|
|
|
+ Also add upfront size validation to reject metadata larger than the
|
|
|
+ total available space.
|
|
|
+
|
|
|
+ Fix: CVE-2025-11568
|
|
|
+
|
|
|
+ Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
|
|
+
|
|
|
+--- a/libluksmeta.c
|
|
|
++++ b/libluksmeta.c
|
|
|
+@@ -69,8 +69,12 @@
|
|
|
+ }
|
|
|
+
|
|
|
+ static inline bool
|
|
|
+-overlap(const lm_t *lm, uint32_t start, size_t end)
|
|
|
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
|
|
|
+ {
|
|
|
++ /* Make sure the data fits the available area in the gap. */
|
|
|
++ if (end > hard_limit)
|
|
|
++ return true;
|
|
|
++
|
|
|
+ for (int i = 0; i < LUKS_NSLOTS; i++) {
|
|
|
+ const lm_slot_t *s = &lm->slots[i];
|
|
|
+ uint32_t e = s->offset + s->length;
|
|
|
+@@ -90,8 +94,13 @@
|
|
|
+ {
|
|
|
+ size = ALIGN(size, true);
|
|
|
+
|
|
|
++ /* Make sure the data is not larger than the total available
|
|
|
++ * area in the gap. */
|
|
|
++ if (length < size)
|
|
|
++ return 0;
|
|
|
++
|
|
|
+ for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
|
|
|
+- if (!overlap(lm, off, off + size))
|
|
|
++ if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
|
|
|
+ return off;
|
|
|
+ }
|
|
|
+
|
|
|
+--- a/test-luksmeta
|
|
|
++++ b/test-luksmeta
|
|
|
+@@ -3,9 +3,12 @@
|
|
|
+ trap 'exit' ERR
|
|
|
+
|
|
|
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
|
|
|
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
|
|
|
++
|
|
|
+
|
|
|
+ function onexit() {
|
|
|
+ rm -f $tmp
|
|
|
++ rm -f "${tmpdata}"
|
|
|
+ }
|
|
|
+
|
|
|
+ trap 'onexit' EXIT
|
|
|
+@@ -56,3 +59,16 @@
|
|
|
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
|
|
|
+ ./luksmeta init -n -f -d $tmp
|
|
|
+ ! ./luksmeta load -s 0 -d $tmp
|
|
|
++
|
|
|
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
|
|
|
++./luksmeta init -f -d "${tmp}"
|
|
|
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
|
|
|
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
|
|
|
++
|
|
|
++# Additional test for CVE-2025-11568 boundary conditions.
|
|
|
++# Verify overflow protection with multiple existing slots at various offsets.
|
|
|
++./luksmeta init -f -d "${tmp}"
|
|
|
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
|
|
|
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
|
|
|
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
|
|
|
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
|
Christoph Biedl