Skip to content

Commit 9fd4520

Browse files
kvinwangkvinwang
committed
Also validates secondary header
1 parent bd8d50e commit 9fd4520

File tree

1 file changed

+19
-7
lines changed

1 file changed

+19
-7
lines changed

dstack-util/src/system_setup.rs

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -512,7 +512,7 @@ impl<'a> Stage0<'a> {
512512
.context("Failed to load LUKS2 header")?;
513513

514514
let hdr_file = fs::File::open(&in_mem_hdr).context("Failed to open LUKS2 header")?;
515-
validate_luks2_header(hdr_file).context("Failed to validate LUKS2 header")?;
515+
validate_luks2_headers(hdr_file).context("Failed to validate LUKS2 header")?;
516516

517517
cmd! {
518518
info "Opening the device";
@@ -975,7 +975,13 @@ macro_rules! const_pad {
975975

976976
const PAYLOAD_OFFSET: u64 = 16777216;
977977

978-
fn validate_luks2_header(mut reader: impl std::io::Read) -> Result<()> {
978+
fn validate_luks2_headers(mut reader: impl std::io::Read) -> Result<()> {
979+
validate_single_luks2_header(&mut reader, 0)?;
980+
validate_single_luks2_header(&mut reader, 1)?;
981+
Ok(())
982+
}
983+
984+
fn validate_single_luks2_header(mut reader: impl std::io::Read, hdr_ind: u64) -> Result<()> {
979985
let mut hdr_data = vec![0; 4096];
980986
reader
981987
.read_exact(&mut hdr_data)
@@ -997,8 +1003,14 @@ fn validate_luks2_header(mut reader: impl std::io::Read) -> Result<()> {
9971003
..
9981004
} = header;
9991005

1000-
if magic != [76, 85, 75, 83, 186, 190] {
1001-
bail!("Invalid LUKS magic: {:?}", magic);
1006+
if hdr_ind == 0 {
1007+
if magic != [76, 85, 75, 83, 186, 190] {
1008+
bail!("Invalid LUKS magic: {:?}", magic);
1009+
}
1010+
} else {
1011+
if magic != [83, 75, 85, 76, 186, 190] {
1012+
bail!("Invalid LUKS magic: {:?}", magic);
1013+
}
10021014
}
10031015
if version != 2 {
10041016
bail!("Invalid LUKS version: {version}");
@@ -1012,7 +1024,7 @@ fn validate_luks2_header(mut reader: impl std::io::Read) -> Result<()> {
10121024
if subsystem != [0; 48] {
10131025
bail!("Invalid LUKS subsystem");
10141026
}
1015-
if hdr_offset != 0 {
1027+
if hdr_offset != hdr_ind * hdr_size {
10161028
bail!("Invalid LUKS header offset: {hdr_offset}");
10171029
}
10181030
if hdr_size < 4096 || hdr_size > 1024 * 1024 * 16 {
@@ -1169,9 +1181,9 @@ fn validate_luks2_header(mut reader: impl std::io::Read) -> Result<()> {
11691181
#[test]
11701182
fn test_validate_luks2_header() {
11711183
let header_data = include_bytes!("../tests/fixtures/luks_header_good").to_vec();
1172-
validate_luks2_header(&mut &header_data[..]).expect("Failed to validate LUKS2 header");
1184+
validate_luks2_headers(&mut &header_data[..]).expect("Failed to validate LUKS2 header");
11731185
let header_data = include_bytes!("../tests/fixtures/luks_header_cipher_null").to_vec();
1174-
let error = validate_luks2_header(&mut &header_data[..]).unwrap_err();
1186+
let error = validate_luks2_headers(&mut &header_data[..]).unwrap_err();
11751187
assert!(error
11761188
.to_string()
11771189
.contains("Invalid LUKS keyslot encryption"));

0 commit comments

Comments
 (0)