[pkg-cryptsetup-devel] Bug#935702: Wrong DM device size due to integer truncation

[nbf at waifu.club]

Package: cryptsetup-bin
Version: 2:2.1.0-5
Severity: serious

Dear Maintainer,

cryptsetup in Stable contains multiple severe integer handling issues.
Created DM device's size is set incorrectly due to integer truncation.

Not only the access to protected data is lost, the integritysetup's 
"open" operation actually succeeds. All reads on the incorrectly created 
DM device will of course fail with I/O errors due to bad integrity tags, 
but all writes will happily write wrong tags at wrong places! This makes 
it very easy for the administrator to destroy the data while trying to 
recover with --integrity-recovery-mode.

The issue is caused by a new set of functions "dm_*_target_set", 
introduced with cryptsetup 2:2.1.0, whose arguments use haphazardly 
chosen integer types, even though the actual types are easy to find.

For example, "uint64_t size" is temporarily stored in a size_t variable.
1) stored in lib/utils_dm.h: struct crypt_dm_active_device { uint64_t 
size, ... }
2) passed to lib/libdevmapper.c dm_*_target_set(..., (size_t)dmd.size, 
...
3) stored in lib/utils_dm.h: struct dm_target { uint64_t size, ... }

Seeing such carelessness in a core crypto software makes me very uneasy.


Best,
n.b.f.

-- Notes:
64-bit systems, whose size_t is 64bit, are safe from this bug.
Partitions smaller than 2TiB (2^32 * 512) are safe from this bug.
Severity: grave may be appropriate due to the potential for data loss.