Bug 207159 - LSPP: When using IPSec without labels, kernel sends an acquire with a security context containing garbage
LSPP: When using IPSec without labels, kernel sends an acquire with a securit...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ipsec-tools (Show other bugs)
5
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-19 15:07 EDT by IBM Bug Proxy
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: ipsec-tools-0.6.5-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-27 06:30:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Latest LSPP racoon patch (11.21 KB, patch)
2006-09-22 10:25 EDT, Steve Grubb
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 27363 None None None Never

  None (edit)
Description IBM Bug Proxy 2006-09-19 15:07:46 EDT
LTC Owner is: dmosby@us.ibm.com
LTC Originator is: latten@us.ibm.com


Problem description:

Could not get racoon to work properly. 

When using IPSec without labels, the kernel sends and ACQUIRE message that
contains a security context. This security context contains garbage. When labels
are not being used, then the kernel should send an ACQUIRE without a security
context.

Upon looking at code, when we allocate a policy, we never initialize the
security structure in the policy. Thus it is possible for it to contain garbage.
Probably should initialize to zero or null. 

I am using a rawhide kernel, vmlinuz-2.6.17-1.2617.2.1.fc6.

Hardware Environment
    Machine type - lpar 
    Cpu type - Power5

Will add patch to this bug report as soon as I create it.

Please mirror this bug report to RedHat and to Issue Tracker.
I would also like iboverma@redhat.com and sgrubb@redhat.com be added to the CC
list.
Comment 1 IBM Bug Proxy 2006-09-19 15:21:03 EDT
----- Additional Comments From krisw@us.ibm.com  2006-09-19 15:19 EDT -------
I'm not sure this was mirrored correctly; I think the Issue Tracker numbers 
start with "RIT". 
Comment 2 IBM Bug Proxy 2006-09-19 15:41:41 EDT
----- Additional Comments From dmosby@us.ibm.com (prefers email at k7fw@us.ibm.com)  2006-09-19 15:39 EDT -------
My understanding is that we mirror with Issue Tracker for the RHEL products
and use Red Hat Bugzilla for Fedora or testing unreleased versions. 
Comment 3 IBM Bug Proxy 2006-09-19 16:16:14 EDT
----- Additional Comments From krisw@us.ibm.com  2006-09-19 16:12 EDT -------
OK - I was thinking she was using the beta, but now I see she said rawhide.  
Thanks! 
Comment 4 IBM Bug Proxy 2006-09-19 17:06:44 EDT
----- Additional Comments From latten@us.ibm.com  2006-09-19 17:02 EDT -------
I have compiled and tested this patch against rawhide kernel,
vmlinuz-2.6.17-1.2617.2.1.fc6.
I have also compiled against, linux-2.6.17+patch-2.6.18-rc7+2.6.18-rc7-mm1
and will post to netdev@vger.kernel.org for upstream acceptance. 

diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c
linux-2.6.17.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.17.orig/net/xfrm/xfrm_policy.c    2006-09-19 02:11:33.000000000 -0500
+++ linux-2.6.17.patch/net/xfrm/xfrm_policy.c   2006-09-19 04:33:50.000000000 -0500
@@ -319,6 +319,7 @@ struct xfrm_policy *xfrm_policy_alloc(gf
                init_timer(&policy->timer);
                policy->timer.data = (unsigned long)policy;
                policy->timer.function = xfrm_policy_timer;
+               policy->security = NULL;
        }
        return policy;
 } 
Comment 5 IBM Bug Proxy 2006-09-20 16:12:23 EDT
----- Additional Comments From latten@us.ibm.com  2006-09-20 16:08 EDT -------
the patch posted yesterday is incorrect. will post the correct patch later today
or tomorrow. 
Comment 6 IBM Bug Proxy 2006-09-21 18:11:14 EDT
----- Additional Comments From latten@us.ibm.com  2006-09-21 18:06 EDT -------
The bug was not in the kernel code, but in the racoon utility.
The racoon utility is the IKE daemon used to configure SAs in IPSec.
I have integrated the fix for this into the racoon patch which was posted 
today on redhat-lspp mailing list. 
Comment 7 Steve Grubb 2006-09-22 10:25:11 EDT
Created attachment 136943 [details]
Latest LSPP racoon patch

This is the latest patch to solve the problem in this bug report. Please apply.
Comment 8 Harald Hoyer 2006-09-25 05:44:28 EDT
Hmm...

security.c:257: error: 'ASSOCIATION__POLMATCH' undeclared (first use in this
function)

$ rpm -q libselinux-devel libsepol-devel
libselinux-devel-1.30.28-1
libsepol-devel-1.12.26-1
Comment 9 Steve Grubb 2006-09-25 09:51:43 EDT
Found an unapplied patch to libselinux that provides this define. We'll update
this bug with the new libselinux-devel version when its built...which will be soon.
Comment 10 Steve Grubb 2006-09-25 10:41:15 EDT
New libselinux-devel package is available. Add a BuildRequires for
libselinux-devel>=1.30.28-2. Thanks.
Comment 11 Harald Hoyer 2006-09-25 10:57:13 EDT
> New libselinux-devel package is available

hmm... 
$ brew latest-pkg dist-fc6 libselinux
Build                                     Tag                   Built by
----------------------------------------  --------------------  ----------------
libselinux-1.30.28-1                      dist-fc6              dwalsh
Comment 12 Harald Hoyer 2006-09-25 11:14:11 EDT
oh... is in -HEAD...
Comment 13 IBM Bug Proxy 2007-01-17 10:50:30 EST
----- Additional Comments From latten@us.ibm.com  2007-01-17 10:47 EDT -------
I have tested this and it is working properly. 

Note You need to log in before you can comment on or make changes to this bug.