Description of problem: using of uninitializes key_size parameter in constructor error path can cause wiping of kernel memory area and system crash. Version-Release number of selected component (if applicable): kernel-smp-2.6.9-88.EL (probably all RHEL4 kernels) How reproducible: Try to create crypt mapping with wrong parameteres (but with correct count of parameters), e.g. dmsetup create x --table "0 1 crypt x 0 0 0 0" or echo "xxx" | cryptsetup create -c blabla x /dev/sdf crash depends on unitialized parameter, here the memset was caught by NMI watchdog: Kernel panic - not syncing: nmi watchdog <1>Unable to handle kernel NULL pointer dereference at 00000000000000ff RIP: [<00000000000000ff>] PML4 1a7f5c067 PGD 1a3da9067 PMD 0 Oops: 0010 [2] SMP CPU 1 Modules linked in: dm_crypt parport_pc lp parport autofs4 i2c_dev i2c_core sunrpc ds yenta_socket pcmcia_core cpufreq_powersave ib_srp ib_sdp ib_ipoib inet_lro md5 ipv6 rdma_ucm rdma_cm iw_cm ib_addr ib_umad ib_ucm ib_uverbs ib_cm ib_sa ib_mad ib_core dm_mirror dm_round_robin dm_emc dm_multipath button battery ac uhci_hcd ehci_hcd i5000_edac edac_mc hw_random tg3 ext3 jbd dm_mod qla2400 qla2xxx scsi_transport_fc ata_piix mptscsih mptsas mptspi mptscsi mptbase ahci libata sd_mod scsi_mod Pid: 5421, comm: cryptsetup Not tainted 2.6.9-88.ELsmp RIP: 0010:[<00000000000000ff>] [<00000000000000ff>] RSP: 0018:00000101aa12bfa0 EFLAGS: 00010006 RAX: 00000101a2bc7fd8 RBX: 0000000000000000 RCX: 0000000000000002 RDX: 00000000000000ff RSI: 0000000000000000 RDI: 0000000000000002 RBP: 00000101aa11bcf8 R08: 0000000000000008 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000000 R13: 00000101a8d9bc80 R14: 00000000000000d0 R15: ffffffffa00ffdfb FS: 0000000000000000(0000) GS:ffffffff80504780(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00000000000000ff CR3: 00000001aa118000 CR4: 00000000000006e0 Process cryptsetup (pid: 5421, threadinfo 00000101a2bc6000, task 00000101a706c030) Stack: ffffffff8011d212 ffffffff80328a0e ffffffff80110bf9 00000101aa11bcf8 <EOI> ffffffffa00ffdfb 00000000000000d0 00000101a8d9bc80 0000000000000000 00000101aa11bf58 ffffffff80328a0e Call Trace:<IRQ> <ffffffff8011d212>{smp_call_function_interrupt+64} <ffffffff80110bf9>{call_function_interrupt+133} <EOI> <ffffffffa00ffdfb>{:dm_mod:dev_create+0} <ffffffff8011d1c5>{smp_send_stop+76} <ffffffff801389bc>{panic+253} <ffffffff801118f4>{show_stack+241} <ffffffff80111a1e>{show_registers+277} <ffffffff80111d25>{die_nmi+130} <ffffffff8011de1b>{nmi_watchdog_tick+276} <ffffffff801125f6>{default_do_nmi+116} <ffffffff8011df05>{do_nmi+115} <ffffffff80111203>{paranoid_exit+0} <ffffffffa00ffdfb>{:dm_mod:dev_create+0} <ffffffff803158d7>{.text.lock.spinlock+5} Easy one line patch, upstream & RHEL5 using kzalloc here -> not problem there.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Committed in 89.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1024.html