On Thu, Apr 20, 2023 at 09:44:04AM +0200, Alexander Larsson wrote:
> + err = fsverity_get_digest(d_inode(datapath->dentry), actual_digest, &verity_algo);
> + if (err < 0) {
> + pr_warn_ratelimited("lower file '%pd' has no fs-verity digest\n", datapath->dentry);
> + return -EIO;
> + }
> +
> + if (digest_len != hash_digest_size[verity_algo] ||
> + memcmp(required_digest, actual_digest, digest_len) != 0) {
> + pr_warn_ratelimited("lower file '%pd' has the wrong fs-verity digest\n",
> + datapath->dentry);
> + return -EIO;
> + }
> +
> + return 0;
This is incorrect because the digest algorithm is not being compared.
- Eric
