Verify the last incomplete chunk on resize
Bug: 221847239
Test: AuthFsHostTest
Change-Id: I9c7b68d51faac3e34053d6fbf5d3eeb9f702c7e8
diff --git a/authfs/src/fsverity/editor.rs b/authfs/src/fsverity/editor.rs
index 19d9159..60b5b80 100644
--- a/authfs/src/fsverity/editor.rs
+++ b/authfs/src/fsverity/editor.rs
@@ -112,15 +112,15 @@
&self,
chunk_index: u64,
buf: &mut ChunkBuffer,
+ merkle_tree_locked: &MerkleLeaves,
) -> io::Result<usize> {
let size = self.read_backing_chunk_unverified(chunk_index, buf)?;
// Ensure the returned buffer matches the known hash.
- let merkle_tree = self.merkle_tree.read().unwrap();
debug_assert_usize_is_u64();
- if merkle_tree.is_index_valid(chunk_index as usize) {
+ if merkle_tree_locked.is_index_valid(chunk_index as usize) {
let hash = Sha256Hasher::new()?.update(buf)?.finalize()?;
- if !merkle_tree.is_consistent(chunk_index as usize, &hash) {
+ if !merkle_tree_locked.is_consistent(chunk_index as usize, &hash) {
return Err(io::Error::new(io::ErrorKind::InvalidData, "Inconsistent hash"));
}
Ok(size)
@@ -278,7 +278,7 @@
let chunk_index = size / CHUNK_SIZE;
if new_tail_size > 0 {
let mut buf: ChunkBuffer = [0; CHUNK_SIZE as usize];
- let s = self.read_backing_chunk_unverified(chunk_index, &mut buf)?;
+ let s = self.read_backing_chunk_verified(chunk_index, &mut buf, &merkle_tree)?;
debug_assert!(new_tail_size <= s);
let zeros = vec![0; CHUNK_SIZE as usize - new_tail_size];
@@ -299,7 +299,8 @@
impl<F: ReadByChunk + RandomWrite> ReadByChunk for VerifiedFileEditor<F> {
fn read_chunk(&self, chunk_index: u64, buf: &mut ChunkBuffer) -> io::Result<usize> {
- self.read_backing_chunk_verified(chunk_index, buf)
+ let merkle_tree = self.merkle_tree.read().unwrap();
+ self.read_backing_chunk_verified(chunk_index, buf, &merkle_tree)
}
}
diff --git a/authfs/tests/java/src/com/android/fs/AuthFsHostTest.java b/authfs/tests/java/src/com/android/fs/AuthFsHostTest.java
index 633e467..9a2e243 100644
--- a/authfs/tests/java/src/com/android/fs/AuthFsHostTest.java
+++ b/authfs/tests/java/src/com/android/fs/AuthFsHostTest.java
@@ -266,7 +266,7 @@
// Action
// Tampering with the first 2 4K-blocks of the backing file.
- zeroizeFileHeadOnAndroid(backendPath, /* size */ 8192);
+ zeroizeFileOnAndroid(backendPath, /* size */ 8192, /* offset */ 0);
// Verify
// Write to a block partially requires a read back to calculate the new hash. It should fail
@@ -301,7 +301,7 @@
// Action
// Tampering with the first 4K-block of the backing file.
- zeroizeFileHeadOnAndroid(backendPath, /* size */ 4096);
+ zeroizeFileOnAndroid(backendPath, /* size */ 4096, /* offset */ 0);
// Verify
// Force dropping the page cache, so that the next read can be validated.
@@ -314,6 +314,27 @@
}
@Test
+ public void testResizeFailedIfDetectsTampering() throws Exception {
+ // Setup
+ runFdServerOnAndroid("--open-rw 3:" + TEST_OUTPUT_DIR + "/out.file", "--rw-fds 3");
+ runAuthFsOnMicrodroid("--remote-new-rw-file 3 --cid " + VMADDR_CID_HOST);
+
+ String outputPath = MOUNT_DIR + "/3";
+ String backendPath = TEST_OUTPUT_DIR + "/out.file";
+ createFileWithOnesOnMicrodroid(outputPath, 8192);
+
+ // Action
+ // Tampering with the last 4K-block of the backing file.
+ zeroizeFileOnAndroid(backendPath, /* size */ 1, /* offset */ 4096);
+
+ // Verify
+ // A resize (to a non-multiple of 4K) will fail if the last backing chunk has been
+ // tampered. The original data is necessary (and has to be verified) to calculate the new
+ // hash with shorter data.
+ assertFalse(resizeFileOnMicrodroid(outputPath, 8000));
+ }
+
+ @Test
public void testFileResize() throws Exception {
// Setup
runFdServerOnAndroid("--open-rw 3:" + TEST_OUTPUT_DIR + "/out.file", "--rw-fds 3");
@@ -329,14 +350,14 @@
backendPath,
"684ad25fdc2bbb80cbc910dd1bde6d5499ccf860ca6ee44704b77ec445271353");
- resizeFileOnMicrodroid(outputPath, 15000);
+ assertTrue(resizeFileOnMicrodroid(outputPath, 15000));
assertEquals(getFileSizeInBytesOnMicrodroid(outputPath), 15000);
expectBackingFileConsistency(
outputPath,
backendPath,
"567c89f62586e0d33369157afdfe99a2fa36cdffb01e91dcdc0b7355262d610d");
- resizeFileOnMicrodroid(outputPath, 5000);
+ assertTrue(resizeFileOnMicrodroid(outputPath, 5000));
assertEquals(getFileSizeInBytesOnMicrodroid(outputPath), 5000);
expectBackingFileConsistency(
outputPath,
@@ -365,7 +386,7 @@
"684ad25fdc2bbb80cbc910dd1bde6d5499ccf860ca6ee44704b77ec445271353");
// Regular file operations work, e.g. resize.
- resizeFileOnMicrodroid(authfsPath, 15000);
+ assertTrue(resizeFileOnMicrodroid(authfsPath, 15000));
assertEquals(getFileSizeInBytesOnMicrodroid(authfsPath), 15000);
expectBackingFileConsistency(
authfsPath,
@@ -723,8 +744,9 @@
assertEquals("Inconsistent mode for " + androidPath + " (android)", expected, actual);
}
- private void resizeFileOnMicrodroid(String path, long size) {
- runOnMicrodroid("truncate -c -s " + size + " " + path);
+ private boolean resizeFileOnMicrodroid(String path, long size) {
+ CommandResult result = runOnMicrodroidForResult("truncate -c -s " + size + " " + path);
+ return result.getStatus() == CommandStatus.SUCCESS;
}
private long getFileSizeInBytesOnMicrodroid(String path) {
@@ -759,9 +781,10 @@
return result.getStatus() == CommandStatus.SUCCESS;
}
- private void zeroizeFileHeadOnAndroid(String filePath, long size)
+ private void zeroizeFileOnAndroid(String filePath, long size, long offset)
throws DeviceNotAvailableException {
- sAndroid.run("dd if=/dev/zero of=" + filePath + " bs=1 count=" + size + " conv=notrunc");
+ sAndroid.run("dd if=/dev/zero of=" + filePath + " bs=1 count=" + size + " conv=notrunc"
+ + " seek=" + offset);
}
private void runAuthFsOnMicrodroid(String flags) {