cbiedl
/
luksmeta


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182
							Subject: Fix handling of large metadata
ID: CVE-2025-11568
Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
Author: Sergio Correia <scorreia@redhat.com>
Date: Wed Oct 22 15:58:01 2025 +0100
Bug-Debian: https://bugs.debian.org/111828

    Prevent metadata from being written beyond the gap between the LUKS
    header and encrypted data. The overflow check now correctly validates
    that the end position of new metadata does not exceed the hard limit,
    preventing corruption of encrypted data.

    Also add upfront size validation to reject metadata larger than the
    total available space.

    Fix: CVE-2025-11568

    Signed-off-by: Sergio Correia <scorreia@redhat.com>

--- a/libluksmeta.c
+++ b/libluksmeta.c
@@ -69,8 +69,12 @@
 }
 
 static inline bool
-overlap(const lm_t *lm, uint32_t start, size_t end)
+overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
 {
+    /* Make sure the data fits the available area in the gap. */
+    if (end > hard_limit)
+        return true;
+
     for (int i = 0; i < LUKS_NSLOTS; i++) {
         const lm_slot_t *s = &lm->slots[i];
         uint32_t e = s->offset + s->length;
@@ -90,8 +94,13 @@
 {
     size = ALIGN(size, true);
 
+    /* Make sure the data is not larger than the total available
+     * area in the gap. */
+    if (length < size)
+        return 0;
+
     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
-        if (!overlap(lm, off, off + size))
+        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
             return off;
     }
 
--- a/test-luksmeta
+++ b/test-luksmeta
@@ -3,9 +3,12 @@
 trap 'exit' ERR
 
 export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
+export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
+
 
 function onexit() {
     rm -f $tmp
+    rm -f "${tmpdata}"
 }
 
 trap 'onexit' EXIT
@@ -56,3 +59,16 @@
 test "`./luksmeta load -s 0 -d $tmp`" == "hi"
 ./luksmeta init -n -f -d $tmp
 ! ./luksmeta load -s 0 -d $tmp
+
+# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
+./luksmeta init -f -d "${tmp}"
+dd bs=1024k count=1 </dev/zero >"${tmpdata}"
+! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
+
+# Additional test for CVE-2025-11568 boundary conditions.
+# Verify overflow protection with multiple existing slots at various offsets.
+./luksmeta init -f -d "${tmp}"
+echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
+echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
+dd bs=1024 count=900 </dev/zero >"${tmpdata}"
+! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"