Bug#403075: [Pkg-cryptsetup-devel] Bug#403075: cryptsetup luksOpen can kill unrelated processes (out of memory killer)

David Härdeman david at hardeman.nu
Thu Dec 14 18:22:23 UTC 2006 

severity 403075 normal
tags 403075 -security
tags 403075 +moreinfo
thanks

On Thu, Dec 14, 2006 at 01:46:33PM +0000, Rob Walker wrote:
>Package: cryptsetup
>Version: 2:1.0.4-8
>Severity: grave
>Tags: security
>Justification: user security hole
>
>If I run cryptsetup luksOpen, giving it a file instead of a device, it tries
>to allocate lots of memory, eventually triggering the oomkiller to kill
>processes.  
>
>A normal user can do this, so this could be used for some kind of
>denial of service attack: system performance will be impaired and processes of
>other users may be killed.  Hence the grave serverity.

Ehh..any user can run a process which uses any amount of memory 
unless you use ulimit.

I agree this would be a bug in crypsetup, but calling it a user security 
hole is not correct.

>To reproduce
>
>  # produce a dummy file
>  dd if=/dev/zero of=/tmp/foo bs=1k count=1024
>
>  # try to run cryptsetup
>  /sbin/cryptsetup luksOpen /tmp/foo /dev/mapper/_tmp_foo

The first argument after luksOpen should be a device, the second should 
be a mapping name.

/tmp/foo is no device, it's a file.

/dev/mapper/_tmp_foo is no mapping name, it's a complete path.

The correct syntax would be something like:
/sbin/cryptsetup luksOpen /dev/something tmpfoo


Furthermore, I can't reproduce this (using the version currently in unstable):

# dd if=/dev/zero of=/tmp/foo bs=1k count=1024
# losetup -f /tmp/foo
# crypsetup luksOpen /dev/loop0 tmpfoo
# Enter LUKS passphrase: 
# /dev/loop0 is not a LUKS partition
# cryptsetup luksFormat /dev/loop0
 
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.
# cryptsetup luksOpen /dev/loop0 footmp
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.
# ls -al /dev/mapper/footmp
brw-rw---- 1 root disk 254, 3 2006-12-14 19:14 /dev/mapper/footmp
# cryptsetup remove footmp
# losetup -d /dev/loop0


-- 
David Härdeman

More information about the pkg-cryptsetup-devel mailing list