[PATCH] fuse: fix digest size check in fuse_setup_measure_verity()

[PATCH] fuse: fix digest size check in fuse_setup_measure_verity()

[Dmitry Antipov]

Wnen compiling with clang 21.1.3 and W=1, I've noticed the following:

fs/fuse/ioctl.c:132:18: warning: result of comparison of constant
18446744073709551611 with expression of type '__u16' (aka 'unsigned
short') is always false [-Wtautological-constant-out-of-range-compare]
  132 |         if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
      |             ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Since the actually supported alorithms are SHA256 and SHA512, this is
better to be replaced with the check against FS_VERITY_MAX_DIGEST_SIZE,
which is now equal to SHA512_DIGEST_SIZE and may be adjusted if even
stronger algorithms will be added someday. Compile tested only.

Fixes: 9fe2a036a23c ("fuse: Add initial support for fs-verity")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 fs/fuse/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/ioctl.c b/fs/fuse/ioctl.c
index fdc175e93f74..03056e6afeb3 100644
--- a/fs/fuse/ioctl.c
+++ b/fs/fuse/ioctl.c
@@ -129,7 +129,7 @@ static int fuse_setup_measure_verity(unsigned long arg, struct iovec *iov)
 	if (copy_from_user(&digest_size, &uarg->digest_size, sizeof(digest_size)))
 		return -EFAULT;
 
-	if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
+	if (digest_size > FS_VERITY_MAX_DIGEST_SIZE)
 		return -EINVAL;
 
 	iov->iov_len = sizeof(struct fsverity_digest) + digest_size;
-- 
2.51.0

Re: [PATCH] fuse: fix digest size check in fuse_setup_measure_verity()

[Eric Biggers]

On Thu, Oct 16, 2025 at 09:22:47AM +0300, Dmitry Antipov wrote:
> Wnen compiling with clang 21.1.3 and W=1, I've noticed the following:
> 
> fs/fuse/ioctl.c:132:18: warning: result of comparison of constant
> 18446744073709551611 with expression of type '__u16' (aka 'unsigned
> short') is always false [-Wtautological-constant-out-of-range-compare]
>   132 |         if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
>       |             ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Since the actually supported alorithms are SHA256 and SHA512, this is
> better to be replaced with the check against FS_VERITY_MAX_DIGEST_SIZE,
> which is now equal to SHA512_DIGEST_SIZE and may be adjusted if even
> stronger algorithms will be added someday. Compile tested only.
> 
> Fixes: 9fe2a036a23c ("fuse: Add initial support for fs-verity")
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
>  fs/fuse/ioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/fuse/ioctl.c b/fs/fuse/ioctl.c
> index fdc175e93f74..03056e6afeb3 100644
> --- a/fs/fuse/ioctl.c
> +++ b/fs/fuse/ioctl.c
> @@ -129,7 +129,7 @@ static int fuse_setup_measure_verity(unsigned long arg, struct iovec *iov)
>  	if (copy_from_user(&digest_size, &uarg->digest_size, sizeof(digest_size)))
>  		return -EFAULT;
>  
> -	if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
> +	if (digest_size > FS_VERITY_MAX_DIGEST_SIZE)
>  		return -EINVAL;

This breaks any userspace program that passes a digest_size greater than
64 bytes.  It's the size of an output buffer, not an input buffer.  So
it may be larger than the current max digest size.

Just delete the tautological comparison if it's causing a warning.

- Eric