These issues look still present as of FC5test2 CVE-2006-0095 dm-crypt key leak dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. http://marc.theaimsgroup.com/?l=linux-kernel&m=113640535312572 http://marc.theaimsgroup.com/?l=linux-kernel&m=113641114812886 CVE-2006-0037 Netfilter local crash http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 CVE-2006-0036 Netfilter remote crash http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e497502ab CVE-2006-0035 netlink DoS http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ad8e4b75c8a7bed475d72ce09bf5267188621961
If its in Linus' tree, it's in rawhide. marc.theaimsgroup seems to be down right now, so I can't check the first one.
still can't get to that url, but Jan 6th, this got merged.. Subject: [PATCH] dm-crypt: zero key before freeing it which sounds like the same problem, so I'm closing this, as Linus tree has all these, and rawhide is based on -git of the day right now.
both the marc urls work for me, this is the plaintext paste from that URL dm-crypt should clear struct crypt_config before freeing it to avoid information leak f.e. to a swsusp image. Signed-off-by: Stefan Rompf <stefan> Acked-by: Clemens Fruhwirth <clemens> --- linux-2.6.15/drivers/md/dm-crypt.c.orig 2006-01-04 01:01:16.000000000 +0100 +++ linux-2.6.15/drivers/md/dm-crypt.c 2006-01-04 22:35:13.000000000 +0100 @@ -690,6 +690,8 @@ bad2: crypto_free_tfm(tfm); bad1: + /* Zero key material before free to avoid information leak */ + memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8)); kfree(cc); return -EINVAL; } @@ -706,6 +708,9 @@ cc->iv_gen_ops->dtr(cc); crypto_free_tfm(cc->tfm); dm_put_device(ti, cc->dev); + + /* Zero key material before free to avoid information leak */ + memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8)); kfree(cc); } This matches your comment #2 and therefore it is fixed upstream.
all confirmed fixed test3