dissect-image: insist that if a verity partition designator is specified the partition exists

Let's tighten our checks further.
author: Lennart Poettering <lennart@poettering.net> 2021-09-09 11:38:52 +0200
committer: Lennart Poettering <lennart@poettering.net> 2021-09-10 14:15:55 +0200
commit: 1903defc2d1d0163d73f467f08b105ebb0619b40 (patch)
tree: 61609c52d48d0f5c23caa48be2e3218ae63cd431 /src/shared/dissect-image.c
parent: 7b32164f3c666ff00027f7061e677482bf270a9e (diff)
download: systemd-1903defc2d1d0163d73f467f08b105ebb0619b40.tar.gz
1 files changed, 19 insertions, 13 deletions
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 9547dad808..a540f86689 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1401,22 +1401,28 @@ int dissect_image(
                         return -EADDRNOTAVAIL;
         }
 
-        if (verity && verity->root_hash) {
-                if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {
-                        if (!m->partitions[PARTITION_ROOT_VERITY].found || !m->partitions[PARTITION_ROOT].found)
-                                return -EADDRNOTAVAIL;
+        if (verity) {
+                /* If a verity designator is specified, then insist that the matching partition exists */
+                if (verity->designator >= 0 && !m->partitions[verity->designator].found)
+                        return -EADDRNOTAVAIL;
 
-                        /* If we found a verity setup, then the root partition is necessarily read-only. */
-                        m->partitions[PARTITION_ROOT].rw = false;
-                        m->verity_ready = true;
-                }
+                if (verity->root_hash) {
+                        if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {
+                                if (!m->partitions[PARTITION_ROOT_VERITY].found || !m->partitions[PARTITION_ROOT].found)
+                                        return -EADDRNOTAVAIL;
 
-                if (verity->designator == PARTITION_USR) {
-                        if (!m->partitions[PARTITION_USR_VERITY].found || !m->partitions[PARTITION_USR].found)
-                                return -EADDRNOTAVAIL;
+                                /* If we found a verity setup, then the root partition is necessarily read-only. */
+                                m->partitions[PARTITION_ROOT].rw = false;
+                                m->verity_ready = true;
+                        }
+
+                        if (verity->designator == PARTITION_USR) {
+                                if (!m->partitions[PARTITION_USR_VERITY].found || !m->partitions[PARTITION_USR].found)
+                                        return -EADDRNOTAVAIL;
 
-                        m->partitions[PARTITION_USR].rw = false;
-                        m->verity_ready = true;
+                                m->partitions[PARTITION_USR].rw = false;
+                                m->verity_ready = true;
+                        }
                 }
         }
author	Lennart Poettering <lennart@poettering.net>	2021-09-09 11:38:52 +0200
committer	Lennart Poettering <lennart@poettering.net>	2021-09-10 14:15:55 +0200
commit	1903defc2d1d0163d73f467f08b105ebb0619b40 (patch)
tree	61609c52d48d0f5c23caa48be2e3218ae63cd431 /src/shared/dissect-image.c
parent	7b32164f3c666ff00027f7061e677482bf270a9e (diff)
download	systemd-1903defc2d1d0163d73f467f08b105ebb0619b40.tar.gz