crypto: validate that LUKS payload doesn't overlap with header We already validate that LUKS keyslots don't overlap with the header, or with each other. This closes the remaining hole in validation of LUKS file regions. Reviewed-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

commit: d233fbc327d3f1f03bc30e0486b9ade3aa23f9ec [log] [tgz]
author: Daniel P. Berrangé <berrange@redhat.com> Mon Sep 05 13:50:03 2022 +0100
committer: Daniel P. Berrangé <berrange@redhat.com> Thu Oct 27 12:55:27 2022 +0100
tree: 9c53221037e0f325e26bfce8abeeaa11d4feb420
parent: 93569c373027c5c46e518e01c0c3e2d07fbb6890 [diff]
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 6ef9a89..f22bc63 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c

@@ -572,6 +572,13 @@
         return -1;
     }
 
+    if (luks->header.payload_offset_sector <
+        DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
+                     QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
+        error_setg(errp, "LUKS payload is overlapping with the header");
+        return -1;
+    }
+
     /* Check all keyslots for corruption  */
     for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
commit	d233fbc327d3f1f03bc30e0486b9ade3aa23f9ec	[log] [tgz]
author	Daniel P. Berrangé <berrange@redhat.com>	Mon Sep 05 13:50:03 2022 +0100
committer	Daniel P. Berrangé <berrange@redhat.com>	Thu Oct 27 12:55:27 2022 +0100
tree	9c53221037e0f325e26bfce8abeeaa11d4feb420
parent	93569c373027c5c46e518e01c0c3e2d07fbb6890 [diff]