Debian Bug report logs - #941051
cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)

version graph

Package: cryptsetup; Maintainer for cryptsetup is Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>; Source for cryptsetup is src:cryptsetup (PTS, buildd, popcon).

Reported by: Jerad Simpson <jbsimpson@gmail.com>

Date: Tue, 24 Sep 2019 01:27:02 UTC

Severity: normal

Found in version cryptsetup/2:2.1.0-5+deb10u2

Done: Guilhem Moulin <guilhem@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jbsimpson@gmail.com, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Tue, 24 Sep 2019 01:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jerad Simpson <jbsimpson@gmail.com>:
New Bug report received and forwarded. Copy sent to jbsimpson@gmail.com, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Tue, 24 Sep 2019 01:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jerad Simpson <jbsimpson@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Tue, 24 Sep 2019 01:23:45 +0000
Package: cryptsetup
Version: 2:2.1.0-5+deb10u2
Severity: normal

Dear Maintainer,

I have been toying around with LUKS2 integrity and have found a situation that
apparently leads to a "Killed" process or a segmentation fault which looks like
it is due to a NULL pointer dereference in my dmesg output.

This lead me to change some of my original luksFormat parameters from using
benbi for IV generation over to plain64be, which does seem to work.  It also
makes me question whether benbi is a good or bad choice to use for a wide block
XTS mode, as I have been using for years.  Any input?  I'm no expert.

In short, this fails:

# cryptsetup luksFormat \
--cipher=twofish-xts-benbi \
--hash=sha512 \
--verify-passphrase \
--key-size=512 \
--use-random \
--type=luks2 \
--pbkdf=argon2id \
--pbkdf-memory=1048576 \
--pbkdf-parallel=4 \
--pbkdf-force-iterations=5 \
--integrity=hmac-sha256 \
--integrity-no-journal \
--sector-size=4096 \
/dev/kvmhost_vg/root

And, this works:

# cryptsetup luksFormat \
--cipher=twofish-xts-plain64be \
--hash=sha512 \
--verify-passphrase \
--key-size=512 \
--use-random \
--type=luks2 \
--pbkdf=argon2id \
--pbkdf-memory=1048576 \
--pbkdf-parallel=4 \
--pbkdf-force-iterations=5 \
--integrity=hmac-sha256 \
--integrity-no-journal \
--sector-size=4096 \
/dev/kvmhost_vg/root

Some more random information, for which feedback is always appreciated:

My rationale for using benbi might have always been way off base.  I have been
known to use pvmove to "defrag" my lvm2 volumes in the past and have always
been worried about this somehow breaking my encryption.  It never has broken
with benbi, and as I understood it, the IV counters would start at 1 and never
be tied directly to any physical harddrive sector.  However, maybe LVM
"sectors," since this occurs before the encryption, is what the IVs have always
been based upon.  Does anybody know if there is any truth in that?  I have not
decided to "defrag" my lvm2 volumes in ages.  In any case, I can live with
plain64 or plain64be, especially if I have been doing it wrong all along!
Mainly, I wanted maintainers to be aware of this crash.

Thank You,

Jerad Simpson



-- Package-specific info:

-- System Information:
Debian Release: 10.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_DIE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup depends on:
ii  cryptsetup-initramfs  2:2.1.0-5+deb10u2
ii  cryptsetup-run        2:2.1.0-5+deb10u2

cryptsetup recommends no packages.

cryptsetup suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Sun, 05 Jan 2020 18:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Sun, 05 Jan 2020 18:21:03 GMT) (full text, mbox, link).

Message #10 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Bernhard Übelacker <bernhardu@mailbox.org>
To: 941051@bugs.debian.org
Cc: Jerad Simpson <jbsimpson@gmail.com>
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Sun, 5 Jan 2020 19:19:42 +0100
[Message part 1 (text/plain, inline)]
Dear Maintainer,
I just tried to reproduce the issue, but always
got a kernel oops instead of a usermode exception.
Therefore I guess this issue might be reassigned to src:linux?

By further looking it seems that in crypto_tfm_alg_blocksize
the __crt_alg member is dereferenced unconditionally while
containing a null pointer.

This could be reproduced in a minimal VM running
stable with 4.19.0-6-amd64 or unstable with 5.4.0-1-amd64.

Kind regards,
Bernhard


[Sa Jan  4 17:08:33 2020] alg: No test for authenc(hmac(sha256),xts(twofish)) (authenc(hmac(sha256-generic),xts(ecb-twofish-3way)))
[Sa Jan  4 17:08:33 2020] BUG: kernel NULL pointer dereference, address: 0000000000000028
[Sa Jan  4 17:08:33 2020] #PF: supervisor read access in kernel mode
[Sa Jan  4 17:08:33 2020] #PF: error_code(0x0000) - not-present page
[Sa Jan  4 17:08:33 2020] PGD 0 P4D 0 
[Sa Jan  4 17:08:33 2020] Oops: 0000 [#1] SMP NOPTI
[Sa Jan  4 17:08:33 2020] CPU: 7 PID: 4875 Comm: cryptsetup Not tainted 5.4.0-1-amd64 #1 Debian 5.4.6-1
[Sa Jan  4 17:08:33 2020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[Sa Jan  4 17:08:33 2020] RIP: 0010:crypt_iv_benbi_ctr+0x18/0x60 [dm_crypt]
[Sa Jan  4 17:08:33 2020] Code: 00 00 00 b9 ff ff ff ff 0f bd 8f b0 00 00 00 d3 e8 c3 66 66 66 66 90 48 8b 87 a8 00 00 00 b9 ff ff ff ff 48 8b 00 48 8b 40 60 <8b> 50 24 b8 01 00 00 00 0f bd ca d3 e0 39 d0 75 15 83 f9 09 7f 1e

[debugging.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Sun, 05 Jan 2020 19:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Milan Broz <gmazyland@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Sun, 05 Jan 2020 19:12:05 GMT) (full text, mbox, link).

Message #15 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Milan Broz <gmazyland@gmail.com>
To: Bernhard Übelacker <bernhardu@mailbox.org>, 941051@bugs.debian.org
Cc: Jerad Simpson <jbsimpson@gmail.com>
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Sun, 5 Jan 2020 20:07:15 +0100
Hi,

this is an apparent bug in upstream kernel.

I fixed it in my git, please could you verify it works for you? Patch is in this branch:
  https://git.kernel.org/pub/scm/linux/kernel/git/mbroz/linux.git/log/?h=dm-cryptsetup

(and let me know if you want to add reported-and-tested-by tag with your name)

Thanks for the report!

Milan

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Mon, 06 Jan 2020 03:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Mon, 06 Jan 2020 03:09:03 GMT) (full text, mbox, link).

Message #20 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Bernhard Übelacker <bernhardu@mailbox.org>
To: Milan Broz <gmazyland@gmail.com>
Cc: 941051@bugs.debian.org, Jerad Simpson <jbsimpson@gmail.com>
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Mon, 6 Jan 2020 04:06:54 +0100
Hello Milan,
thanks for the fast response - I currently try to build a
package with your patch, but I guess this could take some time...

And I don't know what the usual approach is,
but the original reporter is probably Jerad?
(@Jerad maybe you could confirm your issue is the
same that I was seeing in dmesg?)

I hope the build finishes and I can report back then.

Kind regards,
Bernhard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Mon, 06 Jan 2020 09:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to Milan Broz <gmazyland@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Mon, 06 Jan 2020 09:18:02 GMT) (full text, mbox, link).

Message #25 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Milan Broz <gmazyland@gmail.com>
To: Bernhard Übelacker <bernhardu@mailbox.org>
Cc: 941051@bugs.debian.org, Jerad Simpson <jbsimpson@gmail.com>
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Mon, 6 Jan 2020 10:14:58 +0100
I sent patch upstream, if you could, please reply directly to the dm-devel list:

https://www.redhat.com/archives/dm-devel/2020-January/msg00012.html

Thanks!

Milan

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Mon, 06 Jan 2020 14:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Jerad Simpson <jbsimpson@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Mon, 06 Jan 2020 14:39:02 GMT) (full text, mbox, link).

Message #30 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Jerad Simpson <jbsimpson@gmail.com>
To: Bernhard Übelacker <bernhardu@mailbox.org>,Milan Broz <gmazyland@gmail.com>
Cc: 941051@bugs.debian.org
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Mon, 06 Jan 2020 14:36:26 +0000
Thank you for the attention on this one.  I have been away from home, but yes, it was a kernel oops in my logs, looking very similar, if not identical to what I've seen on the recent activity here.  I can test patches in the next week or two.

Thanks Again,

On January 6, 2020 3:06:54 AM UTC, "Bernhard Übelacker" <bernhardu@mailbox.org> wrote:
>Hello Milan,
>thanks for the fast response - I currently try to build a
>package with your patch, but I guess this could take some time...
>
>And I don't know what the usual approach is,
>but the original reporter is probably Jerad?
>(@Jerad maybe you could confirm your issue is the
>same that I was seeing in dmesg?)
>
>I hope the build finishes and I can report back then.
>
>Kind regards,
>Bernhard


-- 
Jerad Simpson

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>:
Bug#941051; Package cryptsetup. (Tue, 07 Jan 2020 13:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bernhard Übelacker <bernhardu@mailbox.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>. (Tue, 07 Jan 2020 13:00:03 GMT) (full text, mbox, link).

Message #35 received at 941051@bugs.debian.org (full text, mbox, reply):

From: Bernhard Übelacker <bernhardu@mailbox.org>
To: 941051@bugs.debian.org
Cc: Milan Broz <gmazyland@gmail.com>, Jerad Simpson <jbsimpson@gmail.com>
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Tue, 7 Jan 2020 13:56:06 +0100
[Message part 1 (text/plain, inline)]
Dear Maintainer,
I rebuilt a linux-image package with the patch applied
and the submitters' cryptsetup command finished
without visible error to me.
(console output and dmesg in second half of attached file.)

Due to my limited knowledge of cryptsetup I guess Jerad
could better judge if the resulting device is working
properly afterwards.

Kind regards,
Bernhard

[debugging2.txt (text/plain, attachment)]

Reply sent to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility. (Fri, 05 Aug 2022 10:33:03 GMT) (full text, mbox, link).

Notification sent to Jerad Simpson <jbsimpson@gmail.com>:
Bug acknowledged by developer. (Fri, 05 Aug 2022 10:33:03 GMT) (full text, mbox, link).

Message #40 received at 941051-close@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>
To: 941051-close@bugs.debian.org
Subject: Re: Bug#941051: cryptsetup: luksFormat crash with benbi IV generator and LUKS2 integrity option(s)
Date: Fri, 5 Aug 2022 12:28:55 +0200
[Message part 1 (text/plain, inline)]
On Tue, 24 Sep 2019 at 01:23:45 +0000, Jerad Simpson wrote:
> In short, this fails:
>
> # cryptsetup luksFormat \
> --cipher=twofish-xts-benbi \
> --hash=sha512 \
> --verify-passphrase \
> --key-size=512 \
> --use-random \
> --type=luks2 \
> --pbkdf=argon2id \
> --pbkdf-memory=1048576 \
> --pbkdf-parallel=4 \
> --pbkdf-force-iterations=5 \
> --integrity=hmac-sha256 \
> --integrity-no-journal \
> --sector-size=4096 \
> /dev/kvmhost_vg/root
>
> And, this works:
>
> # cryptsetup luksFormat \
> --cipher=twofish-xts-plain64be \
> --hash=sha512 \
> --verify-passphrase \
> --key-size=512 \
> --use-random \
> --type=luks2 \
> --pbkdf=argon2id \
> --pbkdf-memory=1048576 \
> --pbkdf-parallel=4 \
> --pbkdf-force-iterations=5 \
> --integrity=hmac-sha256 \
> --integrity-no-journal \
> --sector-size=4096 \
> /dev/kvmhost_vg/root

Seems this was meanwhile fixed in linux 4.19.118-1 resp. 5.4.19-1, and upstream
since https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.103
resp. https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.19 .
I'm indeed unable to reproduce this in an up-to-date Buster/Bullseye/sid
VM.

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Sep 2022 07:27:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Aug 20 19:03:24 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.