Bug 2142660
Summary: | using --escrowcert with LUKS and FIPS results in segfault | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Lark Gordon <lagordon> | |
Component: | libblockdev | Assignee: | Vojtech Trefny <vtrefny> | |
Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 8.6 | CC: | guazhang, JONATHAN.SATTELBERGER, jstodola, vtrefny | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | libblockdev-2.28-2.el8 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2143223 2143226 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-16 08:16:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2143223 |
Description
Lark Gordon
2022-11-14 19:28:57 UTC
There is definitely starts with a bug in libblockdev code so I am moving this to libblockdev. But the segfault happens in an error path, so there probably is a different issue with the volume key + fips installation, probably in libvolume_key, but we I can report a new bug when I have the libblockdev fix ready for testing. upstream PR: https://github.com/storaged-project/libblockdev/pull/816 Note that this only fixes the segfault caused by libblockdev, the installation will still fail when creating the escrow packet with "security library: received bad data.", I will clone this bug to volume_key to track this separately. Hi # fips-mode-setup --check FIPS mode is enabled. libblockdev-2.28-1.el8.x86_64 [root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i /root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded. from gi.repository import BlockDev, GLib test_backup_passphrase (crypto_test.CryptoTestEscrow) Verify that a backup passphrase can be created for a device ... Generating key. This may take a few moments... /usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py:253: Warning: GError set over the top of a previous GError or uninitialized memory. This indicates a bug in someone's code. You must ensure an error is NULL before it's set. The overwriting error message was: Failed to get escrow data return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase) malloc_consolidate(): unaligned fastbin chunk detected Aborted (core dumped) libblockdev-2.28-2.el8.x86_64 [root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i /root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded. from gi.repository import BlockDev, GLib test_backup_passphrase (crypto_test.CryptoTestEscrow) Verify that a backup passphrase can be created for a device ... Generating key. This may take a few moments... ERROR ====================================================================== ERROR: test_backup_passphrase (crypto_test.CryptoTestEscrow) Verify that a backup passphrase can be created for a device ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py", line 722, in test_backup_passphrase escrow_dir, backup_passphrase) File "/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py", line 253, in crypto_escrow_device return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase) GLib.GError: g-bd-crypto-error-quark: Failed to get escrow data: security library: received bad data. (12) ---------------------------------------------------------------------- Ran 1 test in 16.693s FAILED (errors=1) [root@storageqe-25 libblockdev-2.28]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2755 |