[PATCH] fs-verity: fix signed integer overflow with i_size near S64_MAX

[PATCH] fs-verity: fix signed integer overflow with i_size near S64_MAX

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

If the file size is almost S64_MAX, the calculated number of Merkle tree
levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to
fail.  This is unintentional, since as the comment above the definition
of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of
data using SHA-256 and 4K blocks.  (Specifically, 4096*128**8 >= 2**64.)

The bug is actually that when the number of blocks in the first level is
calculated from i_size, there is a signed integer overflow due to i_size
being signed.  Fix this by treating i_size is unsigned.

This was found by the new test "generic: test fs-verity EFBIG scenarios"
(https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).

This didn't affect ext4 or f2fs since those have a smaller maximum file
size, but it did affect btrfs which allows files up to S64_MAX bytes.

Reported-by: Boris Burkov <boris@bur.io>
Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
Cc: <stable@vger.kernel.org> # v5.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/verity/enable.c | 2 +-
 fs/verity/open.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/verity/enable.c b/fs/verity/enable.c
index 77e159a0346b1..60a4372aa4d75 100644
--- a/fs/verity/enable.c
+++ b/fs/verity/enable.c
@@ -177,7 +177,7 @@ static int build_merkle_tree(struct file *filp,
 	 * (level 0) and ascending to the root node (level 'num_levels - 1').
 	 * Then at the end (level 'num_levels'), calculate the root hash.
 	 */
-	blocks = (inode->i_size + params->block_size - 1) >>
+	blocks = ((u64)inode->i_size + params->block_size - 1) >>
 		 params->log_blocksize;
 	for (level = 0; level <= params->num_levels; level++) {
 		err = build_merkle_tree_level(filp, level, blocks, params,
diff --git a/fs/verity/open.c b/fs/verity/open.c
index 60ff8af7219fe..92df87f5fa388 100644
--- a/fs/verity/open.c
+++ b/fs/verity/open.c
@@ -89,7 +89,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
 	 */
 
 	/* Compute number of levels and the number of blocks in each level */
-	blocks = (inode->i_size + params->block_size - 1) >> log_blocksize;
+	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
 	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
 	while (blocks > 1) {
 		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
-- 
2.33.0

Re: [PATCH] fs-verity: fix signed integer overflow with i_size near S64_MAX

[Boris Burkov]

On Thu, Sep 16, 2021 at 01:34:24PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> If the file size is almost S64_MAX, the calculated number of Merkle tree
> levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to
> fail.  This is unintentional, since as the comment above the definition
> of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of
> data using SHA-256 and 4K blocks.  (Specifically, 4096*128**8 >= 2**64.)
> 
> The bug is actually that when the number of blocks in the first level is
> calculated from i_size, there is a signed integer overflow due to i_size
> being signed.  Fix this by treating i_size is unsigned.
> 
> This was found by the new test "generic: test fs-verity EFBIG scenarios"
> (https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).
> 
> This didn't affect ext4 or f2fs since those have a smaller maximum file
> size, but it did affect btrfs which allows files up to S64_MAX bytes.
> 
> Reported-by: Boris Burkov <boris@bur.io>
> Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
> Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
> Cc: <stable@vger.kernel.org> # v5.4+
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Ah good catch! I'll update the test to not work around it.

Reviewed-by: Boris Burkov <boris@bur.io>

> ---
>  fs/verity/enable.c | 2 +-
>  fs/verity/open.c   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/verity/enable.c b/fs/verity/enable.c
> index 77e159a0346b1..60a4372aa4d75 100644
> --- a/fs/verity/enable.c
> +++ b/fs/verity/enable.c
> @@ -177,7 +177,7 @@ static int build_merkle_tree(struct file *filp,
>  	 * (level 0) and ascending to the root node (level 'num_levels - 1').
>  	 * Then at the end (level 'num_levels'), calculate the root hash.
>  	 */
> -	blocks = (inode->i_size + params->block_size - 1) >>
> +	blocks = ((u64)inode->i_size + params->block_size - 1) >>
>  		 params->log_blocksize;
>  	for (level = 0; level <= params->num_levels; level++) {
>  		err = build_merkle_tree_level(filp, level, blocks, params,
> diff --git a/fs/verity/open.c b/fs/verity/open.c
> index 60ff8af7219fe..92df87f5fa388 100644
> --- a/fs/verity/open.c
> +++ b/fs/verity/open.c
> @@ -89,7 +89,7 @@ int fsverity_init_merkle_tree_params(struct merkle_tree_params *params,
>  	 */
>  
>  	/* Compute number of levels and the number of blocks in each level */
> -	blocks = (inode->i_size + params->block_size - 1) >> log_blocksize;
> +	blocks = ((u64)inode->i_size + params->block_size - 1) >> log_blocksize;
>  	pr_debug("Data is %lld bytes (%llu blocks)\n", inode->i_size, blocks);
>  	while (blocks > 1) {
>  		if (params->num_levels >= FS_VERITY_MAX_LEVELS) {
> -- 
> 2.33.0
>