Fix bogus memory allocation if LUKS2 header size is invalid.

LUKS2 code read the whole header to buffer to verify checksum,
so malloc is called on unvalidated input size parameter.

This can cause out of memory or unintentional device reads.
(Header validation will fail later anyway - the size is unsupported.)

Just do not allow too small and too big allocations here and fail quickly.

Fixes: #683.

lib/luks2/luks2_disk_metadata.c

@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
 				     size_t *hdr_json_size, int secondary,
 				     uint64_t offset)
 {
+	uint64_t hdr_size;
+
 	if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L))
 		return -EINVAL;
 
@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
+	hdr_size = be64_to_cpu(hdr->hdr_size);
+
+	if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
+		log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size);
+		return -EINVAL;
+	}
+
+	if (secondary && (offset != hdr_size)) {
 		log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
-			(unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
+			(unsigned)offset, (unsigned)hdr_size);
 		return -EINVAL;
 	}
 
 	/* FIXME: sanity check checksum alg. */
 
 	log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.",
-		(unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size),
+		(unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size,
 		hdr->checksum_alg);
 
-	*hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN;
+	*hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN;
 	return 0;
 }
 
@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd,
 		return -EIO;
 	}
 
+	/*
+	 * hdr_json_size is validated if this call succeeds
+	 */
 	r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset);
 	if (r < 0) {
 		return r;

tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate primary with predefined json_size. There's only limited
+# set of values allowed as json size in config section of LUKS2
+# metadata
+#
+# secondary header is corrupted on purpose as well
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function prepare()
+{
+	cp $SRC_IMG $TGT_IMG
+	test -d $TMPDIR || mkdir $TMPDIR
+	read_luks2_json0 $TGT_IMG $TMPDIR/json0
+	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
+	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
+}
+
+function generate()
+{
+	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
+
+	TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
+	TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
+	TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
+	KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
+	JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
+	JSON_SIZE=$((TEST_JSN_SIZE*512))
+	DATA_OFFSET=16777216
+
+	json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
+		   '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
+		    .config.json_size = $jsize |
+		    .segments."0".offset = $off' $TMPDIR/json0)
+	test -n "$json_str" || exit 2
+	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+	write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+
+	write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
+	write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
+
+	write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
+
+	merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
+	merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
+
+	erase_checksum $TMPDIR/area0
+	chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
+	write_checksum $chks0 $TMPDIR/area0
+
+	erase_checksum $TMPDIR/area1
+	chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
+	write_checksum $chks0 $TMPDIR/area1
+
+	kill_bin_hdr $TMPDIR/area0
+
+	write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
+	write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+}
+
+function check()
+{
+	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
+	local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
+	test "$str_res0" = "VACUUM" || exit 2
+	read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
+	jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
+		'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
+		    (.config.json_size != $jsize)
+		then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
+}
+
+function cleanup()
+{
+	rm -f $TMPDIR/*
+	rm -fd $TMPDIR
+}
+
+test $# -eq 2 || exit 1
+
+TGT_IMG=$1/$(test_img_name $0)
+SRC_IMG=$2
+
+prepare
+generate
+check
+cleanup

tests/generators/generate-luks2-metadata-size-invalid.img.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate primary with predefined json_size. There's only limited
+# set of values allowed as json size in config section of LUKS2
+# metadata
+#
+# secondary header is corrupted on purpose as well
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function prepare()
+{
+	cp $SRC_IMG $TGT_IMG
+	test -d $TMPDIR || mkdir $TMPDIR
+	read_luks2_json0 $TGT_IMG $TMPDIR/json0
+	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
+	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
+}
+
+function generate()
+{
+	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
+
+	TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
+	TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
+	TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
+	KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
+	JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
+	JSON_SIZE=$((TEST_JSN_SIZE*512))
+	DATA_OFFSET=16777216
+
+	json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
+		   '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
+		    .config.json_size = $jsize |
+		    .segments."0".offset = $off' $TMPDIR/json0)
+	test -n "$json_str" || exit 2
+	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+	write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+
+	write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
+	write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
+
+	merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
+	merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
+
+	erase_checksum $TMPDIR/area0
+	chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
+	write_checksum $chks0 $TMPDIR/area0
+
+	erase_checksum $TMPDIR/area1
+	chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
+	write_checksum $chks0 $TMPDIR/area1
+
+	kill_bin_hdr $TMPDIR/area1
+
+	write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
+	write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+}
+
+function check()
+{
+	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
+	local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
+	test "$str_res1" = "VACUUM" || exit 2
+	read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
+	jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
+		'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
+		    (.config.json_size != $jsize)
+		then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+function cleanup()
+{
+	rm -f $TMPDIR/*
+	rm -fd $TMPDIR
+}
+
+test $# -eq 2 || exit 1
+
+TGT_IMG=$1/$(test_img_name $0)
+SRC_IMG=$2
+
+prepare
+generate
+check
+cleanup

tests/luks2-validation-test

@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img		"R" "Valid 512KiB metadata size in s
 RUN luks2-metadata-size-1m-secondary.img		"R" "Valid 1MiB metadata size in secondary hdr failed to validate"
 RUN luks2-metadata-size-2m-secondary.img		"R" "Valid 2MiB metadata size in secondary hdr failed to validate"
 RUN luks2-metadata-size-4m-secondary.img		"R" "Valid 4MiB metadata size in secondary hdr failed to validate"
+RUN luks2-metadata-size-invalid.img			"F" "Invalid metadata size in secondary hdr not rejected"
+RUN luks2-metadata-size-invalid-secondary.img		"F" "Invalid metadata size in secondary hdr not rejected"
 
 remove_mapping