diff options
author | Eric Biggers <ebiggers@google.com> | 2022-12-23 12:36:28 -0800 |
---|---|---|
committer | Eric Biggers <ebiggers@google.com> | 2023-01-09 19:05:47 -0800 |
commit | 284d5db5f99efa9e3549eb3cba39379d48879db1 (patch) | |
tree | 992acc4d74a9accc0bdbb1f73b0b4ac2d311346e /fs/verity | |
parent | 86f66569baca98478b7ff2f49c8ee54cf3b108cd (diff) |
fsverity: use unsigned long for level_start
fs/verity/ isn't consistent with whether Merkle tree block indices are
'unsigned long' or 'u64'. There's no real point to using u64 for them,
though, since (a) a Merkle tree with over ULONG_MAX blocks would only be
needed for a file larger than MAX_LFS_FILESIZE, and (b) for reads, the
status of all Merkle tree blocks has to be tracked in memory.
Therefore, let's make things a bit more efficient on 32-bit systems by
using 'unsigned long[]' for merkle_tree_params::level_start, instead of
'u64[]'. Also, to be extra safe, explicitly check that there aren't
more than ULONG_MAX Merkle tree blocks.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Andrey Albershteyn <aalbersh@redhat.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://lore.kernel.org/r/20221223203638.41293-2-ebiggers@kernel.org
Diffstat (limited to 'fs/verity')
-rw-r--r-- | fs/verity/fsverity_private.h | 2 | ||||
-rw-r--r-- | fs/verity/open.c | 20 |
2 files changed, 16 insertions, 6 deletions
diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index a16038a0ee67..e8b40c8000be 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -52,7 +52,7 @@ struct merkle_tree_params { * Starting block index for each tree level, ordered from leaf level (0) * to root level ('num_levels - 1') */ - u64 level_start[FS_VERITY_MAX_LEVELS]; + unsigned long level_start[FS_VERITY_MAX_LEVELS]; }; /* diff --git a/fs/verity/open.c b/fs/verity/open.c index e0ef1a628394..83ccc3c13736 100644 --- a/fs/verity/open.c +++ b/fs/verity/open.c @@ -34,6 +34,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, struct fsverity_hash_alg *hash_alg; int err; u64 blocks; + u64 blocks_in_level[FS_VERITY_MAX_LEVELS]; u64 offset; int level; @@ -94,17 +95,26 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params, } blocks = (blocks + params->hashes_per_block - 1) >> params->log_arity; - /* temporarily using level_start[] to store blocks in level */ - params->level_start[params->num_levels++] = blocks; + blocks_in_level[params->num_levels++] = blocks; } - params->level0_blocks = params->level_start[0]; + params->level0_blocks = blocks_in_level[0]; /* Compute the starting block of each level */ offset = 0; for (level = (int)params->num_levels - 1; level >= 0; level--) { - blocks = params->level_start[level]; params->level_start[level] = offset; - offset += blocks; + offset += blocks_in_level[level]; + } + + /* + * Since the data, and thus also the Merkle tree, cannot have more than + * ULONG_MAX pages, hash block indices can always fit in an + * 'unsigned long'. To be safe, explicitly check for it too. + */ + if (offset > ULONG_MAX) { + fsverity_err(inode, "Too many blocks in Merkle tree"); + err = -EFBIG; + goto out_err; } params->tree_size = offset << log_blocksize; |