Bug 183804

Summary:	sys-fs/cryptsetup-luks - stack smashing attack in function __crypt_luks_open
Product:	Gentoo Linux	Reporter:	11superstrings
Component:	Current packages	Assignee:	Gentoo Security Audit Team <security-audit>
Status:	RESOLVED TEST-REQUEST
Severity:	major	CC:	hardened, M4rkusXXL, strerror
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	dmesg output emerge --info output Kernel Config strace of program with issue

Description 11superstrings 2007-07-01 08:22:01 UTC

Hello,

When running cryptsetup luksOpen I receive a stack smashing fault. This occurs each time I attempt to run the program.  I am using a gpg encrypted key file to encrypt the partition.  These are my exact steps.

amd64# gpg --quiet --decrypt /mnt/usb/rootkey.gpg | cryptsetup -v --cipher aes-lrw-benbi --key-size 384 luksFormat /dev/mapper/nvidia_ccdbgacj3 
Command successful.

amd64# gpg --decrypt /mnt/usb/rootkey.gpg 2>/dev/null | cryptsetup luksOpen /dev/mapper/nvidia_ccdbgacj3 rootkey slot 0 unlocked.
*** stack smashing detected ***: cryptsetup - terminated
cryptsetup: stack smashing attack in function __crypt_luks_open - terminated
Report to http://bugs.gentoo.org/
Killed

amd64# 

Reproducible: Always

Steps to Reproduce:
1.Create gpg protected key file:

amd64# head -c 1500 /dev/random | uuencode -m - | head -n 2 | tail -n 1 | gpg --symmetric --cipher-algo aes256 -a >/mnt/usb/rootkey.gpg 

2. Setup encrypted partition using cryptsetup (with luks):

amd64# gpg --quiet --decrypt /mnt/usb/rootkey.gpg | cryptsetup -v --cipher aes-lrw-benbi --key-size 384 luksFormat /dev/mapper/nvidia_ccdbgacj3 

3. Open luks partition:

amd64# gpg --decrypt /mnt/usb/rootkey.gpg 2>/dev/null | cryptsetup luksOpen /dev/mapper/nvidia_ccdbgacj3 root
key slot 0 unlocked.
*** stack smashing detected ***: cryptsetup - terminated
cryptsetup: stack smashing attack in function __crypt_luks_open - terminated
Report to http://bugs.gentoo.org/
Killed


Actual Results:  
key slot 0 unlocked.
*** stack smashing detected ***: cryptsetup - terminated
cryptsetup: stack smashing attack in function __crypt_luks_open - terminated
Report to http://bugs.gentoo.org/
Killed

Expected Results:  
key slot 0 unlocked.
*** stack smashing detected ***: cryptsetup - terminated
cryptsetup: stack smashing attack in function __crypt_luks_open - terminated
Report to http://bugs.gentoo.org/
Killed

Comment 1 11superstrings 2007-07-01 08:44:18 UTC

Created attachment 123513 [details]
dmesg output

Comment 2 11superstrings 2007-07-01 08:45:01 UTC

Created attachment 123515 [details]
emerge --info output

Comment 3 11superstrings 2007-07-01 19:11:19 UTC

I have done some further testing and found this only occurs while using --key-size 384.  There is no SSP while using a key size of 320.

Comment 4 11superstrings 2007-07-01 19:13:52 UTC

Created attachment 123558 [details]
Kernel Config

Kernel configuration for system with issue.

Comment 5 11superstrings 2007-07-01 19:14:44 UTC

Created attachment 123559 [details]
strace of program with issue

The details of strace run on the program with the SSP issue.

Comment 6 Markus 2007-07-04 16:19:44 UTC

It looks similar to bug 183407
So it should work with 1.0.5, its not yet in portage, but in the bug I linked a ebuild exists "its working for me"(tm)

Comment 7 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2007-09-28 13:21:30 UTC

let me know if >=cryptsetup-1.0.5 solves your problem.