[pkg-cryptsetup-devel] Bug#762297: cryptsetup: fails to create tmp filesystem due to false positive from blkid
Zygo Blaxell
zblaxell at thirteen.furryterror.org
Sat Sep 20 20:07:18 UTC 2014
Package: cryptsetup
Version: 2:1.6.6-1
Severity: normal
un_blkid is not a suitable precheck for plain dm-crypt 'tmp' or 'swap'
devices due to the potential for false positives from previous runs
on the same device. This bug potentially leads to information disclosure
in some configurations.
I had an example of this today:
root at host:~# grep tmp /etc/crypttab
tmp /dev/vgroup/tmp /dev/urandom size=256,cipher=aes-xts-plain,tmp=btrfs
root at host:~# cryptdisks_start tmp
Starting crypto disk...tmp (starting)...
tmp: the precheck for '/dev/vgroup/tmp' failed: - The device /dev/vgroup/tmp contains a filesystem type hfs. ... (warning).
tmp (failed)...failed.
root at host:~# blkid /dev/vgroup/tmp
/dev/vgroup/tmp: UUID="dba39fe4-922e-3fc4-963c-835245a69787" LABEL="0(M-G^W^Yr>~M-2 m{lM- M-8tM-^L^Z0 [nM-BM-^Y))M-^TvM-rM-;tuM-^O^CM-^YM-T'M-^\M-`xM-^]M-eM-I;M-&9M-^[M-`y^\M-\M-^UM-O<M-IsM-LBtM-9M-$1M-^M" TYPE="hfs"
'/dev/vgroup/tmp' contained an encrypted filesystem with a random key
(as it always does). On the last run, the encrypted data matched the
blkid logic for an HFS filesystem. The system involved proceeded to boot
using the root filesystem for /tmp, resulting in /tmp files written to
storage without encryption.
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz root=/dev/mapper/vgroup-root rootflags=compress,subvol=/current ro
-- /etc/crypttab
# <target name> <source device> key file> <options>
swap /dev/vgroup/swap /dev/urandom size=256,cipher=aes-xts-plain,swap
tmp /dev/vgroup/tmp /dev/urandom size=256,cipher=aes-xts-plain,tmp=btrfs
-- /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/vgroup/root / auto skip_balance,compress 0 0
/dev/mapper/tmp /tmp auto compress,noatime,nosuid,nodev 0 0
/dev/mapper/swap none swap sw,pri=50 0 0
-- lsmod
Module Size Used by
rpcsec_gss_krb5 39679 0
nfsv4 320976 1
algif_skcipher 17269 0
af_alg 14217 1 algif_skcipher
tun 27226 16
softdog 13319 1
iTCO_wdt 13480 0
iTCO_vendor_support 13419 1 iTCO_wdt
xt_nat 12681 6
xt_tcpudp 12884 35
xt_owner 12534 1
xt_state 12578 7
ip6table_mangle 12700 0
iptable_mangle 12695 1
xt_LOG 17723 7
xt_limit 12711 7
ip6table_nat 13015 0
nf_conntrack_ipv6 18894 1
nf_defrag_ipv6 34712 1 nf_conntrack_ipv6
nf_nat_ipv6 13213 1 ip6table_nat
iptable_nat 13011 1
nf_conntrack_ipv4 20106 8
nf_defrag_ipv4 12702 1 nf_conntrack_ipv4
nf_nat_ipv4 13199 1 iptable_nat
nf_nat 25065 5 nf_nat_ipv4,nf_nat_ipv6,xt_nat,ip6table_nat,iptable_nat
nf_conntrack 100330 8 nf_nat,xt_state,nf_nat_ipv4,nf_nat_ipv6,ip6table_nat,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
ip6table_filter 12815 0
ip6_tables 26808 3 ip6table_filter,ip6table_mangle,ip6table_nat
iptable_filter 12810 1
ip_tables 27026 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 27889 12 ip6table_filter,ip6table_mangle,ip_tables,xt_tcpudp,xt_limit,xt_owner,xt_state,xt_LOG,xt_nat,iptable_filter,iptable_mangle,ip6_tables
ppdev 17635 0
lp 17874 0
rfcomm 69126 0
bnep 19538 2
bluetooth 408222 10 bnep,rfcomm
6lowpan_iphc 18632 1 bluetooth
cpufreq_userspace 12920 0
cpufreq_stats 13351 0
cpufreq_powersave 12618 0
cpufreq_conservative 15314 0
binfmt_misc 17431 1
uinput 17566 1
ctr 13049 2
ccm 17730 2
fuse 91068 1
af_packet 35772 8
nfsd 288113 2
auth_rpcgss 58269 2 nfsd,rpcsec_gss_krb5
nfs_acl 12741 1 nfsd
nfs 236432 2 nfsv4
lockd 93420 2 nfs,nfsd
fscache 106183 2 nfs,nfsv4
sunrpc 276579 14 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl
ipv6 370918 70 ip6table_mangle,nf_defrag_ipv6,nf_nat_ipv6,ip6table_nat,nf_conntrack_ipv6
dummy 12960 0
tcp_illinois 12974 1730
dm_crypt 27366 4
arc4 12615 2
snd_hda_codec_realtek 65855 1
snd_hda_codec_generic 66957 1 snd_hda_codec_realtek
rtl8192cu 98169 0
rtl_usb 22773 1 rtl8192cu
rtlwifi 88192 2 rtl_usb,rtl8192cu
rtl8192c_common 68261 1 rtl8192cu
joydev 17332 0
mac80211 667628 3 rtl_usb,rtlwifi,rtl8192cu
snd_hda_intel 48194 0
snd_hda_codec 129037 3 snd_hda_codec_realtek,snd_hda_codec_generic,snd_hda_intel
snd_hwdep 17650 1 snd_hda_codec
snd_pcm_oss 49638 0
cfg80211 526872 2 mac80211,rtlwifi
snd_mixer_oss 22354 1 snd_pcm_oss
kvm_amd 64190 0
snd_pcm 103361 3 snd_pcm_oss,snd_hda_codec,snd_hda_intel
snd_seq_dummy 12798 0
kvm 464124 1 kvm_amd
snd_seq_oss 38388 0
crct10dif_pclmul 14296 0
crc32_pclmul 13113 0
snd_seq_midi 13324 0
snd_seq_midi_event 14436 2 snd_seq_oss,snd_seq_midi
snd_rawmidi 29474 1 snd_seq_midi
radeon 1380165 1
snd_seq 64876 6 snd_seq_midi_event,snd_seq_oss,snd_seq_dummy,snd_seq_midi
ghash_clmulni_intel 13216 0
ttm 80578 1 radeon
drm_kms_helper 50515 1 radeon
snd_seq_device 14136 5 snd_seq,snd_rawmidi,snd_seq_oss,snd_seq_dummy,snd_seq_midi
aesni_intel 152538 12
drm 287663 4 ttm,drm_kms_helper,radeon
snd_timer 28690 2 snd_pcm,snd_seq
aes_x86_64 17017 1 aesni_intel
eeepc_wmi 13151 0
asus_wmi 24126 1 eeepc_wmi
sparse_keymap 13526 1 asus_wmi
lrw 13144 1 aesni_intel
gf128mul 14332 1 lrw
glue_helper 13538 1 aesni_intel
pcspkr 12718 0
psmouse 106624 0
rfkill 22014 5 cfg80211,bluetooth,asus_wmi
snd 75519 15 snd_hda_codec_realtek,snd_pcm_oss,snd_hwdep,snd_timer,snd_pcm,snd_seq,snd_rawmidi,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel,snd_seq_oss,snd_seq_device,snd_mixer_oss,snd_seq_dummy,snd_seq_midi
ablk_helper 13268 1 aesni_intel
evdev 21857 40
i2c_algo_bit 13257 1 radeon
serio_raw 13413 0
cryptd 19806 7 ghash_clmulni_intel,aesni_intel,ablk_helper
acpi_cpufreq 19393 0
i2c_piix4 22155 0
k10temp 13126 0
video 19421 1 asus_wmi
soundcore 14491 1 snd
rtc_cmos 18494 0
processor 39547 3 acpi_cpufreq
i2c_core 38693 5 drm,i2c_piix4,drm_kms_helper,i2c_algo_bit,radeon
parport_pc 41295 1
parport 40375 3 lp,ppdev,parport_pc
thermal_sys 31483 2 video,processor
button 13745 0
wmi 18804 1 asus_wmi
hwmon 13894 4 k10temp,radeon,thermal_sys,asus_wmi
btrfs 922678 3
xor 21366 1 btrfs
raid6_pq 101472 1 btrfs
dm_mirror 22085 2
dm_region_hash 19732 1 dm_mirror
dm_log 18296 4 dm_region_hash,dm_mirror
dm_snapshot 38637 6
dm_bufio 26831 1 dm_snapshot
sg 36563 0
hid_generic 12548 0
dm_mod 100688 78 dm_log,dm_mirror,dm_bufio,dm_crypt,dm_snapshot
raid1 35341 6
md_mod 121455 7 raid1
nbd 17594 0
crc32c_intel 22079 1
microcode 20045 0
r8169 71828 0
mii 13527 1 r8169
firmware_class 20227 7 r8169,rtlwifi,drm_kms_helper,snd_hda_intel,radeon,microcode,rtl8192cu
ohci_pci 13561 0
ehci_pci 12905 0
ohci_hcd 46927 1 ohci_pci
ehci_hcd 75263 1 ehci_pci
-- System Information:
Debian Release: 7.6
APT prefers stable
APT policy: (500, 'stable'), (189, 'testing'), (179, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14.19-zb64+ (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.6-1
ii debconf [debconf-2.0] 1.5.49
ii dmsetup 2:1.02.90-1
ii libc6 2.19-11
Versions of packages cryptsetup recommends:
ii busybox 1:1.20.0-7
ii console-setup 1.88
ii initramfs-tools [linux-initramfs-tool] 0.116
ii kbd 1.15.3-9
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.26-3
pn keyutils <none>
ii liblocale-gettext-perl 1.05-8
-- debconf information:
cryptsetup/prerm_active_mappings: true
More information about the pkg-cryptsetup-devel
mailing list