[pkg-cryptsetup-devel] Bug#1006802: cryptdisks_stop should process crtypttab entries in reverse order

Guenther Brunthaler gbrun at gmx.at
Sat Mar 5 12:13:57 GMT 2022 

Package: cryptsetup
Version: 2:2.3.7-1+deb11u1

### Issue description

When creating nested dmcrypt mappings in /etc/crtypttab,
cryptdisks_start processes them from top to bottom.

The means that a some encrypted base device will be unlocked before any
nested encrypted devices based on it.

While this works fine for unlocking the encrypted disks, cryptdisk_stop
tries to remove the dmcrypt mappings in the same order which is clearly
wrong: It tries to remove the base mapping before any mappings bases on
it, which will fail because the base mapping is "busy" at that point.
Steps for reproducing the issue

Here is an example of a crypttab demonstating the issue:

# <target name>         <source device>
<key file>      <options> swap-myhost-pre4-dec     PARTUUID=88888888-02
                           unused_dummy
plain,noearly,cipher=aes-cbc-plain64,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre3-dec     /dev/mapper/swap-myhost-pre4-dec
  unused_dummy
plain,noearly,cipher=blowfish-pcbc-essiv:sha256,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre2-dec     /dev/mapper/swap-myhost-pre3-dec
  unused_dummy
plain,noearly,cipher=aes-ctr-plain64,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre-dec      /dev/mapper/swap-myhost-pre2-dec
  unused_dummy
plain,noearly,cipher=aes-xts-benbi,size=256,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-dec          /dev/mapper/swap-myhost-pre-dec
  unused_dummy
plain,swap,noearly,cipher=serpent-pcbc-essiv:sha256,size=256,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw

The referenced key script (/etc/libexec/gen_hq_rand_psw) and another
helper script files used by it
(/etc/libexec/cached/keygen-octets-by-harvesting-entropy) have been
attached to this report.

### Expected behaviour

The cryptdisks_stop script should process the crypttab entries in the
reverse order of how cryptdisks_start processes them.

### External links

The original bug report, delivered to upstream first by mistake:

https://gitlab.com/cryptsetup/cryptsetup/-/issues/719#note_863814204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gen_hq_rand_psw
Type: application/octet-stream
Size: 202 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220305/a476639b/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keygen-octets-by-harvesting-entropy
Type: application/octet-stream
Size: 2704 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220305/a476639b/attachment-0001.obj>

More information about the pkg-cryptsetup-devel mailing list