From cace45ccf03852dfaff3ad41e2c2448d2c8d996f Mon Sep 17 00:00:00 2001
From: zhangjian <zhangjian496@huawei.com>
Date: Thu, 23 Oct 2025 09:43:47 +0800
Subject: [PATCH] fix CVE-2025-11568

(cherry picked from commit 8227ab1b68b803c0ce55adf2383f12a70c12f054)
---
 ...11568-fix-handling-of-large-metadata.patch | 91 +++++++++++++++++++
 luksmeta.spec                                 |  6 +-
 2 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 0004-CVE-2025-11568-fix-handling-of-large-metadata.patch

diff --git a/0004-CVE-2025-11568-fix-handling-of-large-metadata.patch b/0004-CVE-2025-11568-fix-handling-of-large-metadata.patch
new file mode 100644
index 0000000..b6d9354
--- /dev/null
+++ b/0004-CVE-2025-11568-fix-handling-of-large-metadata.patch
@@ -0,0 +1,91 @@
+From 017998805ddf98a482bb02fc1d0a09343baab2ca Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Wed, 22 Oct 2025 15:58:01 +0100
+Subject: [PATCH] Fix handling of large metadata
+
+Prevent metadata from being written beyond the gap between the LUKS
+header and encrypted data. The overflow check now correctly validates
+that the end position of new metadata does not exceed the hard limit,
+preventing corruption of encrypted data.
+
+Also add upfront size validation to reject metadata larger than the
+total available space.
+
+Fix: CVE-2025-11568
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ libluksmeta.c | 13 +++++++++++--
+ test-luksmeta | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/libluksmeta.c b/libluksmeta.c
+index b653223..d2f7e42 100644
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@ checksum(lm_t lm)
+ }
+ 
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++    /* Make sure the data fits the available area in the gap. */
++    if (end > hard_limit)
++        return true;
++
+     for (int i = 0; i < LUKS_NSLOTS; i++) {
+         const lm_slot_t *s = &lm->slots[i];
+         uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@ find_gap(const lm_t *lm, uint32_t length, size_t size)
+ {
+     size = ALIGN(size, true);
+ 
++    /* Make sure the data is not larger than the total available
++     * area in the gap. */
++    if (length < size)
++        return 0;
++
+     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+-        if (!overlap(lm, off, off + size))
++        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+             return off;
+     }
+ 
+diff --git a/test-luksmeta b/test-luksmeta
+index f1e8b2e..884a33a 100755
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+ 
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+ 
+ function onexit() {
+     rm -f $tmp
++    rm -f "${tmpdata}"
+ }
+ 
+ trap 'onexit' EXIT
+@@ -50,3 +53,16 @@ echo hi | ./luksmeta save -s 0 -u 23149359-1b61-4803-b818-774ab730fbec -d $tmp
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
+-- 
+2.33.0
+
diff --git a/luksmeta.spec b/luksmeta.spec
index 100c2fd..80a9c68 100644
--- a/luksmeta.spec
+++ b/luksmeta.spec
@@ -1,6 +1,6 @@
 Name:           luksmeta
 Version:        9
-Release:        6
+Release:        7
 Summary:        LUKSMeta is a simple library for storing metadata in the LUKSv1 header
 License:        LGPLv2+
 URL:            https://github.com/latchset/%{name}
@@ -9,6 +9,7 @@ Source0:        https://github.com/latchset/%{name}/releases/download/v%{version
 Patch1:         0001-Relax-content-tests-in-test-suite.patch
 Patch2:         0002-Force-creation-of-LUKS1-containers-in-test-suite.patch
 Patch3:         0003-Define-log-callback-function-to-use-with-libcryptset.patch
+Patch4:         0004-CVE-2025-11568-fix-handling-of-large-metadata.patch
 
 BuildRequires:  gcc asciidoc pkgconfig
 BuildRequires:  cryptsetup-devel 
@@ -72,6 +73,9 @@ make %{?_smp_mflags} check
 
 
 %changelog
+* Mon Nov 3 2025 zhangjian <zhangjian496@huawei.com> - 9-7
+- fix CVE-2025-11568
+
 * Thu Oct 16 2025 zhangyaqi <zhangyaqi@kylinos.cn> - 9-6
 - Remove the percent sign in the changelog
 
-- 
Gitee