Bug 495673 - kernel dm crypt: memory corruption when invalid mapping parameters provided
kernel dm crypt: memory corruption when invalid mapping parameters provided
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.8
All Linux
high Severity high
: rc
: ---
Assigned To: Milan Broz
Red Hat Kernel QE team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-14 07:03 EDT by Milan Broz
Modified: 2013-02-28 23:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-18 15:21:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Broz 2009-04-14 07:03:52 EDT
Description of problem:

using of uninitializes key_size parameter in constructor error path can cause wiping of kernel memory area and system crash.

Version-Release number of selected component (if applicable):
kernel-smp-2.6.9-88.EL (probably all RHEL4 kernels)

How reproducible:
Try to create crypt mapping with wrong parameteres (but with correct count of parameters), e.g.
dmsetup create x --table "0 1 crypt x 0 0 0 0"
or
echo "xxx" | cryptsetup create -c blabla x /dev/sdf

crash depends on unitialized parameter, here the memset was caught by NMI watchdog:

Kernel panic - not syncing: nmi watchdog
 <1>Unable to handle kernel NULL pointer dereference at 00000000000000ff RIP:
[<00000000000000ff>]
PML4 1a7f5c067 PGD 1a3da9067 PMD 0
Oops: 0010 [2] SMP
CPU 1
Modules linked in: dm_crypt parport_pc lp parport autofs4 i2c_dev i2c_core sunrpc ds yenta_socket pcmcia_core cpufreq_powersave ib_srp ib_sdp ib_ipoib inet_lro md5 ipv6 rdma_ucm rdma_cm iw_cm ib_addr ib_umad ib_ucm ib_uverbs ib_cm ib_sa ib_mad ib_core dm_mirror dm_round_robin dm_emc dm_multipath button battery ac uhci_hcd ehci_hcd i5000_edac edac_mc hw_random tg3 ext3 jbd dm_mod qla2400 qla2xxx scsi_transport_fc ata_piix mptscsih mptsas mptspi mptscsi mptbase ahci libata sd_mod scsi_mod
Pid: 5421, comm: cryptsetup Not tainted 2.6.9-88.ELsmp
RIP: 0010:[<00000000000000ff>] [<00000000000000ff>]
RSP: 0018:00000101aa12bfa0  EFLAGS: 00010006
RAX: 00000101a2bc7fd8 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 00000000000000ff RSI: 0000000000000000 RDI: 0000000000000002
RBP: 00000101aa11bcf8 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000000
R13: 00000101a8d9bc80 R14: 00000000000000d0 R15: ffffffffa00ffdfb
FS:  0000000000000000(0000) GS:ffffffff80504780(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000000ff CR3: 00000001aa118000 CR4: 00000000000006e0
Process cryptsetup (pid: 5421, threadinfo 00000101a2bc6000, task 00000101a706c030)
Stack: ffffffff8011d212 ffffffff80328a0e ffffffff80110bf9 00000101aa11bcf8  <EOI>
       ffffffffa00ffdfb 00000000000000d0 00000101a8d9bc80 0000000000000000
       00000101aa11bf58 ffffffff80328a0e
Call Trace:<IRQ> <ffffffff8011d212>{smp_call_function_interrupt+64}
       <ffffffff80110bf9>{call_function_interrupt+133}  <EOI> <ffffffffa00ffdfb>{:dm_mod:dev_create+0}
       <ffffffff8011d1c5>{smp_send_stop+76} <ffffffff801389bc>{panic+253}
       <ffffffff801118f4>{show_stack+241} <ffffffff80111a1e>{show_registers+277}
       <ffffffff80111d25>{die_nmi+130} <ffffffff8011de1b>{nmi_watchdog_tick+276}
       <ffffffff801125f6>{default_do_nmi+116} <ffffffff8011df05>{do_nmi+115}
       <ffffffff80111203>{paranoid_exit+0} <ffffffffa00ffdfb>{:dm_mod:dev_create+0}
       <ffffffff803158d7>{.text.lock.spinlock+5}



Easy one line patch, upstream & RHEL5 using kzalloc here -> not problem there.
Comment 6 RHEL Product and Program Management 2009-04-14 08:48:16 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Vivek Goyal 2009-04-21 10:50:29 EDT
Committed in 89.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 17 errata-xmlrpc 2009-05-18 15:21:03 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html

Note You need to log in before you can comment on or make changes to this bug.