1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Ioctl to read verity metadata 4 * 5 * Copyright 2021 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <linux/backing-dev.h> 11 #include <linux/highmem.h> 12 #include <linux/sched/signal.h> 13 #include <linux/uaccess.h> 14 15 static int fsverity_read_merkle_tree(struct inode *inode, 16 const struct fsverity_info *vi, 17 void __user *buf, u64 offset, int length) 18 { 19 const struct fsverity_operations *vops = inode->i_sb->s_vop; 20 u64 end_offset; 21 unsigned int offs_in_page; 22 pgoff_t index, last_index; 23 int retval = 0; 24 int err = 0; 25 26 end_offset = min(offset + length, vi->tree_params.tree_size); 27 if (offset >= end_offset) 28 return 0; 29 offs_in_page = offset_in_page(offset); 30 last_index = (end_offset - 1) >> PAGE_SHIFT; 31 32 /* 33 * Iterate through each Merkle tree page in the requested range and copy 34 * the requested portion to userspace. Note that the Merkle tree block 35 * size isn't important here, as we are returning a byte stream; i.e., 36 * we can just work with pages even if the tree block size != PAGE_SIZE. 37 */ 38 for (index = offset >> PAGE_SHIFT; index <= last_index; index++) { 39 unsigned long num_ra_pages = 40 min_t(unsigned long, last_index - index + 1, 41 inode->i_sb->s_bdi->io_pages); 42 unsigned int bytes_to_copy = min_t(u64, end_offset - offset, 43 PAGE_SIZE - offs_in_page); 44 struct page *page; 45 const void *virt; 46 47 page = vops->read_merkle_tree_page(inode, index, num_ra_pages); 48 if (IS_ERR(page)) { 49 err = PTR_ERR(page); 50 fsverity_err(inode, 51 "Error %d reading Merkle tree page %lu", 52 err, index); 53 break; 54 } 55 56 virt = kmap(page); 57 if (copy_to_user(buf, virt + offs_in_page, bytes_to_copy)) { 58 kunmap(page); 59 put_page(page); 60 err = -EFAULT; 61 break; 62 } 63 kunmap(page); 64 put_page(page); 65 66 retval += bytes_to_copy; 67 buf += bytes_to_copy; 68 offset += bytes_to_copy; 69 70 if (fatal_signal_pending(current)) { 71 err = -EINTR; 72 break; 73 } 74 cond_resched(); 75 offs_in_page = 0; 76 } 77 return retval ? retval : err; 78 } 79 80 /* Copy the requested portion of the buffer to userspace. */ 81 static int fsverity_read_buffer(void __user *dst, u64 offset, int length, 82 const void *src, size_t src_length) 83 { 84 if (offset >= src_length) 85 return 0; 86 src += offset; 87 src_length -= offset; 88 89 length = min_t(size_t, length, src_length); 90 91 if (copy_to_user(dst, src, length)) 92 return -EFAULT; 93 94 return length; 95 } 96 97 static int fsverity_read_descriptor(struct inode *inode, 98 void __user *buf, u64 offset, int length) 99 { 100 struct fsverity_descriptor *desc; 101 size_t desc_size; 102 int res; 103 104 res = fsverity_get_descriptor(inode, &desc, &desc_size); 105 if (res) 106 return res; 107 108 /* don't include the signature */ 109 desc_size = offsetof(struct fsverity_descriptor, signature); 110 desc->sig_size = 0; 111 112 res = fsverity_read_buffer(buf, offset, length, desc, desc_size); 113 114 kfree(desc); 115 return res; 116 } 117 118 static int fsverity_read_signature(struct inode *inode, 119 void __user *buf, u64 offset, int length) 120 { 121 struct fsverity_descriptor *desc; 122 size_t desc_size; 123 int res; 124 125 res = fsverity_get_descriptor(inode, &desc, &desc_size); 126 if (res) 127 return res; 128 129 if (desc->sig_size == 0) { 130 res = -ENODATA; 131 goto out; 132 } 133 134 /* 135 * Include only the signature. Note that fsverity_get_descriptor() 136 * already verified that sig_size is in-bounds. 137 */ 138 res = fsverity_read_buffer(buf, offset, length, desc->signature, 139 le32_to_cpu(desc->sig_size)); 140 out: 141 kfree(desc); 142 return res; 143 } 144 145 /** 146 * fsverity_ioctl_read_metadata() - read verity metadata from a file 147 * @filp: file to read the metadata from 148 * @uarg: user pointer to fsverity_read_metadata_arg 149 * 150 * Return: length read on success, 0 on EOF, -errno on failure 151 */ 152 int fsverity_ioctl_read_metadata(struct file *filp, const void __user *uarg) 153 { 154 struct inode *inode = file_inode(filp); 155 const struct fsverity_info *vi; 156 struct fsverity_read_metadata_arg arg; 157 int length; 158 void __user *buf; 159 160 vi = fsverity_get_info(inode); 161 if (!vi) 162 return -ENODATA; /* not a verity file */ 163 /* 164 * Note that we don't have to explicitly check that the file is open for 165 * reading, since verity files can only be opened for reading. 166 */ 167 168 if (copy_from_user(&arg, uarg, sizeof(arg))) 169 return -EFAULT; 170 171 if (arg.__reserved) 172 return -EINVAL; 173 174 /* offset + length must not overflow. */ 175 if (arg.offset + arg.length < arg.offset) 176 return -EINVAL; 177 178 /* Ensure that the return value will fit in INT_MAX. */ 179 length = min_t(u64, arg.length, INT_MAX); 180 181 buf = u64_to_user_ptr(arg.buf_ptr); 182 183 switch (arg.metadata_type) { 184 case FS_VERITY_METADATA_TYPE_MERKLE_TREE: 185 return fsverity_read_merkle_tree(inode, vi, buf, arg.offset, 186 length); 187 case FS_VERITY_METADATA_TYPE_DESCRIPTOR: 188 return fsverity_read_descriptor(inode, buf, arg.offset, length); 189 case FS_VERITY_METADATA_TYPE_SIGNATURE: 190 return fsverity_read_signature(inode, buf, arg.offset, length); 191 default: 192 return -EINVAL; 193 } 194 } 195 EXPORT_SYMBOL_GPL(fsverity_ioctl_read_metadata); 196