1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Ioctl to read verity metadata 4 * 5 * Copyright 2021 Google LLC 6 */ 7 8 #include "fsverity_private.h" 9 10 #include <linux/backing-dev.h> 11 #include <linux/highmem.h> 12 #include <linux/sched/signal.h> 13 #include <linux/uaccess.h> 14 15 static int fsverity_read_merkle_tree(struct inode *inode, 16 const struct fsverity_info *vi, 17 void __user *buf, u64 offset, int length) 18 { 19 const struct fsverity_operations *vops = inode->i_sb->s_vop; 20 u64 end_offset; 21 unsigned int offs_in_page; 22 pgoff_t index, last_index; 23 int retval = 0; 24 int err = 0; 25 26 end_offset = min(offset + length, vi->tree_params.tree_size); 27 if (offset >= end_offset) 28 return 0; 29 offs_in_page = offset_in_page(offset); 30 last_index = (end_offset - 1) >> PAGE_SHIFT; 31 32 /* 33 * Iterate through each Merkle tree page in the requested range and copy 34 * the requested portion to userspace. Note that the Merkle tree block 35 * size isn't important here, as we are returning a byte stream; i.e., 36 * we can just work with pages even if the tree block size != PAGE_SIZE. 37 */ 38 for (index = offset >> PAGE_SHIFT; index <= last_index; index++) { 39 unsigned long num_ra_pages = 40 min_t(unsigned long, last_index - index + 1, 41 inode->i_sb->s_bdi->io_pages); 42 unsigned int bytes_to_copy = min_t(u64, end_offset - offset, 43 PAGE_SIZE - offs_in_page); 44 struct page *page; 45 const void *virt; 46 47 page = vops->read_merkle_tree_page(inode, index, num_ra_pages); 48 if (IS_ERR(page)) { 49 err = PTR_ERR(page); 50 fsverity_err(inode, 51 "Error %d reading Merkle tree page %lu", 52 err, index); 53 break; 54 } 55 56 virt = kmap(page); 57 if (copy_to_user(buf, virt + offs_in_page, bytes_to_copy)) { 58 kunmap(page); 59 put_page(page); 60 err = -EFAULT; 61 break; 62 } 63 kunmap(page); 64 put_page(page); 65 66 retval += bytes_to_copy; 67 buf += bytes_to_copy; 68 offset += bytes_to_copy; 69 70 if (fatal_signal_pending(current)) { 71 err = -EINTR; 72 break; 73 } 74 cond_resched(); 75 offs_in_page = 0; 76 } 77 return retval ? retval : err; 78 } 79 80 /* Copy the requested portion of the buffer to userspace. */ 81 static int fsverity_read_buffer(void __user *dst, u64 offset, int length, 82 const void *src, size_t src_length) 83 { 84 if (offset >= src_length) 85 return 0; 86 src += offset; 87 src_length -= offset; 88 89 length = min_t(size_t, length, src_length); 90 91 if (copy_to_user(dst, src, length)) 92 return -EFAULT; 93 94 return length; 95 } 96 97 static int fsverity_read_descriptor(struct inode *inode, 98 void __user *buf, u64 offset, int length) 99 { 100 struct fsverity_descriptor *desc; 101 size_t desc_size; 102 int res; 103 104 res = fsverity_get_descriptor(inode, &desc); 105 if (res) 106 return res; 107 108 /* don't include the signature */ 109 desc_size = offsetof(struct fsverity_descriptor, signature); 110 desc->sig_size = 0; 111 112 res = fsverity_read_buffer(buf, offset, length, desc, desc_size); 113 114 kfree(desc); 115 return res; 116 } 117 118 static int fsverity_read_signature(struct inode *inode, 119 void __user *buf, u64 offset, int length) 120 { 121 struct fsverity_descriptor *desc; 122 int res; 123 124 res = fsverity_get_descriptor(inode, &desc); 125 if (res) 126 return res; 127 128 if (desc->sig_size == 0) { 129 res = -ENODATA; 130 goto out; 131 } 132 133 /* 134 * Include only the signature. Note that fsverity_get_descriptor() 135 * already verified that sig_size is in-bounds. 136 */ 137 res = fsverity_read_buffer(buf, offset, length, desc->signature, 138 le32_to_cpu(desc->sig_size)); 139 out: 140 kfree(desc); 141 return res; 142 } 143 144 /** 145 * fsverity_ioctl_read_metadata() - read verity metadata from a file 146 * @filp: file to read the metadata from 147 * @uarg: user pointer to fsverity_read_metadata_arg 148 * 149 * Return: length read on success, 0 on EOF, -errno on failure 150 */ 151 int fsverity_ioctl_read_metadata(struct file *filp, const void __user *uarg) 152 { 153 struct inode *inode = file_inode(filp); 154 const struct fsverity_info *vi; 155 struct fsverity_read_metadata_arg arg; 156 int length; 157 void __user *buf; 158 159 vi = fsverity_get_info(inode); 160 if (!vi) 161 return -ENODATA; /* not a verity file */ 162 /* 163 * Note that we don't have to explicitly check that the file is open for 164 * reading, since verity files can only be opened for reading. 165 */ 166 167 if (copy_from_user(&arg, uarg, sizeof(arg))) 168 return -EFAULT; 169 170 if (arg.__reserved) 171 return -EINVAL; 172 173 /* offset + length must not overflow. */ 174 if (arg.offset + arg.length < arg.offset) 175 return -EINVAL; 176 177 /* Ensure that the return value will fit in INT_MAX. */ 178 length = min_t(u64, arg.length, INT_MAX); 179 180 buf = u64_to_user_ptr(arg.buf_ptr); 181 182 switch (arg.metadata_type) { 183 case FS_VERITY_METADATA_TYPE_MERKLE_TREE: 184 return fsverity_read_merkle_tree(inode, vi, buf, arg.offset, 185 length); 186 case FS_VERITY_METADATA_TYPE_DESCRIPTOR: 187 return fsverity_read_descriptor(inode, buf, arg.offset, length); 188 case FS_VERITY_METADATA_TYPE_SIGNATURE: 189 return fsverity_read_signature(inode, buf, arg.offset, length); 190 default: 191 return -EINVAL; 192 } 193 } 194 EXPORT_SYMBOL_GPL(fsverity_ioctl_read_metadata); 195