[Openswan Users] Cause of kernel bug in AES_set_key

Mon Apr 12 16:04:49 EDT 2010

Hello everybody,
I've been struggling with the following bug for quite a while and finally 
found the kernel feature causing it. Since I've seen others experiencing the 
same problem I would like to share my knowledge.
The bug occurs for me using a vanilla kernel in conjunction with openswan 
and klips. I've seen it first with kernel version 2.6.23 and openswan 2.6.22 
if I'm not mistaking. It results in the following bug right after starting 
openswan:

BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec]
*pde = 00000000
Oops: 0002 [#1] SMP
last sysfs file: /sys/devices/platform/w83627ehf.656/cpu0_vid
Modules linked in: lp tun capi kernelcapi capifs ipt_MASQUERADE xt_MARK 
ipt_REDIRECT xt_limit xt_state ipt_REJECT ipt_LOG iptable_nat iptable_mangle 
nf_nat_ftp nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack_ftp 
nf_conntrack ipsec serpent blowfish twofish twofish_common xcbc cbc md5 
sha256_generic sha512_generic des_generic xt_TCPMSS xt_tcpmss xt_tcpudp 
iptable_filter ip_tables x_tables pppoe pppox ppp_generic slhc dm_snapshot 
dm_round_robin dm_multipath w83627ehf ov511 ovcamchip hwmon_vid eeprom 
ide_cd_mod snd_via82xx k8temp hwmon snd_ac97_codec snd_pcsp ac97_bus 
snd_mpu401_uart snd_usb_audio snd_usb_lib via_rhine snd_rawmidi i2c_viapro 
gspca_sunplus gspca_main videodev v4l1_compat parport_pc parport

Pid: 4417, comm: pluto Not tainted (2.6.28.10-2 #1) MS-7312
EIP: 0060:[<f865a6ad>] EFLAGS: 00210212 CPU: 0
EIP is at aes_32+0x3/0x496 [ipsec]
EAX: f67cf000 EBX: 00000208 ECX: 00000004 EDX: 00000000
ESI: f67cf800 EDI: f67cf208 EBP: f6115b40 ESP: f6115b2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process pluto (pid: 4417, ti=f6114000 task=f7033600 task.ti=f6114000)
Stack:
 f67cf208 f67cf800 00000208 f6115b5c c016d104 f6115b50 00200212 f8658f53
 00000000 f6115b58 f8658c86 f6115b7c f8655cfa 00000010 00000000 f67cf000
 f868426c 00000003 f67cf800 f864cf51 f6115c74 f863ad50 f6115e64 5d62442d
Call Trace:
 [<c016d104>] ? __kmalloc+0x77/0xae
 [<f8658f53>] ? AES_set_key+0xa/0x17 [ipsec]
 [<f8658c86>] ? _aes_set_key+0xf/0x19 [ipsec]
 [<f8655cfa>] ? ipsec_alg_enc_key_create+0x1cf/0x284 [ipsec]
 [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
 [<f863ad50>] ? ipsec_sa_init+0x4f7/0x8ce [ipsec]
 [<c046c493>] ? fn_hash_lookup+0x38/0x89
 [<c04686a0>] ? __inet_dev_addr_type+0x71/0xa8
 [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
 [<f864a29b>] ? pfkey_add_parse+0x1c2/0x6eb [ipsec]
 [<c042a962>] ? __alloc_skb+0x49/0xf8
 [<f864fc08>] ? pfkey_msg_parse+0x466/0x5ea [ipsec]
 [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
 [<f86481b2>] ? pfkey_msg_interp+0x236/0x29c [ipsec]
 [<f8647d34>] ? pfkey_sendmsg+0x2b1/0x3c1 [ipsec]
 [<c0424721>] ? sock_aio_write+0xe8/0xf5
 [<c04c145b>] ? do_page_fault+0x36c/0x6a9
 [<c016f61c>] ? do_sync_write+0xab/0xe9
 [<c0171f9c>] ? cp_new_stat64+0xe4/0xf6
 [<c013459a>] ? autoremove_wake_function+0x0/0x33
 [<c016f335>] ? fsnotify_access+0x4f/0x5a
 [<c016fd4f>] ? vfs_write+0x8d/0xad
 [<c016fe08>] ? sys_write+0x3b/0x60
 [<c0102f06>] ? syscall_call+0x7/0xb
Code: 89 e5 83 ec 08 53 56 57 8b 55 0c 8b 4d 14 81 f9 80 00 00 00 72 03 c1 
e9 03 83 f9 20 74 0a 83 f9 18 74 05 b9 10 00 00 00 c1 e9 02 <89> 0a 8d 41 06 
89 42 04 8b 75 10 8d 7a 08 fc 55 89 c8 f3 a5 8b
EIP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec] SS:ESP 0068:f6115b2c
---[ end trace 72bde90d89f5c18c ]---

Playing around with kernel features I finally found the switch to a working 
configuration in the following parameter:
You have to disable CONFIG_FRAME_POINTER in the kernel hacking section 
(caption: Compile the kernel with frame pointers).
I was able to reproduce the bug up to current kernel and openswan versions 
(last checked: kernel 2.6.31.13 and openswan 2.6.24). I couldn't check 
openswan 2.6.25 due to an other problem but never mind. Configuring 
CONFIG_FRAME_POINTER=y always gave me the kernel bug and changing it to 
disabled did the trick.

Hopefully that this will help others, too.
Regards,
Armin Krauss