[pkg-cryptsetup-devel] Bug#921906: cryptsetup-run: askpass running in initramfs locks up if user types Ctrl+D at the password prompt

Ken Milmore ken.milmore at gmail.com
Sun Feb 10 00:43:26 GMT 2019 

Package: cryptsetup-run
Version: 2:2.0.6-1
Severity: normal
Tags: patch

When using an encrypted root file system, user is prompted to enter
password to unlock the disk from initramfs. Typing Ctrl+D immediately at
the password prompt results in the boot locking up, requiring a hard reset.

Steps to reproduce:
- Install Debian, choosing to set up encrypted LVM, e.g. with guided
partitioning.
- When booting the installed system, a prompt of the form "Please unlock
disk sda3_crypt" is displayed.
- Press Ctrl+D instead of entering the passphrase.
- Nothing further is printed on screen. Attempts to enter the
passphrase, or anything else, result in no response.

The problem is in the console backend of the askpass binary, which goes
into an infinite loop calling getline() if an EOF should occur on stdin
at the beginning of a line. The behaviour of getline() with end-of-file
conditions seems to be rather odd in some cases, but if it is entered
with the eof status already set on the input stream it correctly returns
immediately with a -1 result. As askpass repeatedly calls getline until
a passphrase is successfully entered, once an eof happens the first time
it gets stuck in a busy loop.

I circumvented this in the attached patch by clearing the stream flags
on failure, causing the Ctrl+D to be ignored. I'm not sure if this is
quite the ideal behaviour but I suspect it is probably the best that can
be achieved when using cooked input and getline(). Note I have also
fixed the incorrect (but harmless) return of NULL from a bool function.

Another possible workaround is to install plymouth, which causes a
different askpass backend to be used.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-run depends on:
ii  cryptsetup-bin         2:2.0.6-1
ii  debconf [debconf-2.0]  1.5.70
ii  dmsetup                2:1.02.155-1
ii  libc6                  2.28-5

cryptsetup-run recommends no packages.

Versions of packages cryptsetup-run suggests:
ii  dosfstools              4.1-2
pn  keyutils                <none>
ii  liblocale-gettext-perl  1.07-3+b4

-- debconf information excluded
-------------- next part --------------
diff -Nru cryptsetup-2.0.6/debian/askpass.c cryptsetup-2.0.6/debian/askpass.c
--- cryptsetup-2.0.6/debian/askpass.c	2018-12-03 19:16:07.000000000 +0000
+++ cryptsetup-2.0.6/debian/askpass.c	2019-02-09 17:38:19.000000000 +0000
@@ -359,8 +359,10 @@
 	/* Console is in ICANON mode so we'll get entire lines */
 	nread = getline(&consolebuf, &consolebuflen, stdin);
 
-	if (nread < 0)
-		return NULL;
+	if (nread < 0) {
+		clearerr(stdin);
+		return false;
+	};
 
 	/* Strip trailing newline, if any */
 	if (nread > 0 && consolebuf[nread - 1] == '\n') {

More information about the pkg-cryptsetup-devel mailing list