Bug 495673 - kernel dm crypt: memory corruption when invalid mapping parameters provided
kernel dm crypt: memory corruption when invalid mapping parameters provided
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Milan Broz
Red Hat Kernel QE team
Depends On:
  Show dependency treegraph
Reported: 2009-04-14 07:03 EDT by Milan Broz
Modified: 2013-02-28 23:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-18 15:21:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milan Broz 2009-04-14 07:03:52 EDT
Description of problem:

using of uninitializes key_size parameter in constructor error path can cause wiping of kernel memory area and system crash.

Version-Release number of selected component (if applicable):
kernel-smp-2.6.9-88.EL (probably all RHEL4 kernels)

How reproducible:
Try to create crypt mapping with wrong parameteres (but with correct count of parameters), e.g.
dmsetup create x --table "0 1 crypt x 0 0 0 0"
echo "xxx" | cryptsetup create -c blabla x /dev/sdf

crash depends on unitialized parameter, here the memset was caught by NMI watchdog:

Kernel panic - not syncing: nmi watchdog
 <1>Unable to handle kernel NULL pointer dereference at 00000000000000ff RIP:
PML4 1a7f5c067 PGD 1a3da9067 PMD 0
Oops: 0010 [2] SMP
Modules linked in: dm_crypt parport_pc lp parport autofs4 i2c_dev i2c_core sunrpc ds yenta_socket pcmcia_core cpufreq_powersave ib_srp ib_sdp ib_ipoib inet_lro md5 ipv6 rdma_ucm rdma_cm iw_cm ib_addr ib_umad ib_ucm ib_uverbs ib_cm ib_sa ib_mad ib_core dm_mirror dm_round_robin dm_emc dm_multipath button battery ac uhci_hcd ehci_hcd i5000_edac edac_mc hw_random tg3 ext3 jbd dm_mod qla2400 qla2xxx scsi_transport_fc ata_piix mptscsih mptsas mptspi mptscsi mptbase ahci libata sd_mod scsi_mod
Pid: 5421, comm: cryptsetup Not tainted 2.6.9-88.ELsmp
RIP: 0010:[<00000000000000ff>] [<00000000000000ff>]
RSP: 0018:00000101aa12bfa0  EFLAGS: 00010006
RAX: 00000101a2bc7fd8 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 00000000000000ff RSI: 0000000000000000 RDI: 0000000000000002
RBP: 00000101aa11bcf8 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000000
R13: 00000101a8d9bc80 R14: 00000000000000d0 R15: ffffffffa00ffdfb
FS:  0000000000000000(0000) GS:ffffffff80504780(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000000ff CR3: 00000001aa118000 CR4: 00000000000006e0
Process cryptsetup (pid: 5421, threadinfo 00000101a2bc6000, task 00000101a706c030)
Stack: ffffffff8011d212 ffffffff80328a0e ffffffff80110bf9 00000101aa11bcf8  <EOI>
       ffffffffa00ffdfb 00000000000000d0 00000101a8d9bc80 0000000000000000
       00000101aa11bf58 ffffffff80328a0e
Call Trace:<IRQ> <ffffffff8011d212>{smp_call_function_interrupt+64}
       <ffffffff80110bf9>{call_function_interrupt+133}  <EOI> <ffffffffa00ffdfb>{:dm_mod:dev_create+0}
       <ffffffff8011d1c5>{smp_send_stop+76} <ffffffff801389bc>{panic+253}
       <ffffffff801118f4>{show_stack+241} <ffffffff80111a1e>{show_registers+277}
       <ffffffff80111d25>{die_nmi+130} <ffffffff8011de1b>{nmi_watchdog_tick+276}
       <ffffffff801125f6>{default_do_nmi+116} <ffffffff8011df05>{do_nmi+115}
       <ffffffff80111203>{paranoid_exit+0} <ffffffffa00ffdfb>{:dm_mod:dev_create+0}

Easy one line patch, upstream & RHEL5 using kzalloc here -> not problem there.
Comment 6 RHEL Product and Program Management 2009-04-14 08:48:16 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 Vivek Goyal 2009-04-21 10:50:29 EDT
Committed in 89.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 17 errata-xmlrpc 2009-05-18 15:21:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.