[Openswan Users] Cause of kernel bug in AES_set_key
David McCullough
david_mccullough at mcafee.com
Mon Apr 12 19:46:18 EDT 2010
Jivin Armin Krauss lays it down ...
> Hello everybody,
> I've been struggling with the following bug for quite a while and finally
> found the kernel feature causing it. Since I've seen others experiencing the
> same problem I would like to share my knowledge.
> The bug occurs for me using a vanilla kernel in conjunction with openswan
> and klips. I've seen it first with kernel version 2.6.23 and openswan 2.6.22
> if I'm not mistaking. It results in the following bug right after starting
> openswan:
>
> BUG: unable to handle kernel NULL pointer dereference at 00000000
> IP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec]
> *pde = 00000000
> Oops: 0002 [#1] SMP
> last sysfs file: /sys/devices/platform/w83627ehf.656/cpu0_vid
> Modules linked in: lp tun capi kernelcapi capifs ipt_MASQUERADE xt_MARK
> ipt_REDIRECT xt_limit xt_state ipt_REJECT ipt_LOG iptable_nat iptable_mangle
> nf_nat_ftp nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack_ftp
> nf_conntrack ipsec serpent blowfish twofish twofish_common xcbc cbc md5
> sha256_generic sha512_generic des_generic xt_TCPMSS xt_tcpmss xt_tcpudp
> iptable_filter ip_tables x_tables pppoe pppox ppp_generic slhc dm_snapshot
> dm_round_robin dm_multipath w83627ehf ov511 ovcamchip hwmon_vid eeprom
> ide_cd_mod snd_via82xx k8temp hwmon snd_ac97_codec snd_pcsp ac97_bus
> snd_mpu401_uart snd_usb_audio snd_usb_lib via_rhine snd_rawmidi i2c_viapro
> gspca_sunplus gspca_main videodev v4l1_compat parport_pc parport
>
> Pid: 4417, comm: pluto Not tainted (2.6.28.10-2 #1) MS-7312
> EIP: 0060:[<f865a6ad>] EFLAGS: 00210212 CPU: 0
> EIP is at aes_32+0x3/0x496 [ipsec]
> EAX: f67cf000 EBX: 00000208 ECX: 00000004 EDX: 00000000
> ESI: f67cf800 EDI: f67cf208 EBP: f6115b40 ESP: f6115b2c
> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process pluto (pid: 4417, ti=f6114000 task=f7033600 task.ti=f6114000)
> Stack:
> f67cf208 f67cf800 00000208 f6115b5c c016d104 f6115b50 00200212 f8658f53
> 00000000 f6115b58 f8658c86 f6115b7c f8655cfa 00000010 00000000 f67cf000
> f868426c 00000003 f67cf800 f864cf51 f6115c74 f863ad50 f6115e64 5d62442d
> Call Trace:
> [<c016d104>] ? __kmalloc+0x77/0xae
> [<f8658f53>] ? AES_set_key+0xa/0x17 [ipsec]
> [<f8658c86>] ? _aes_set_key+0xf/0x19 [ipsec]
> [<f8655cfa>] ? ipsec_alg_enc_key_create+0x1cf/0x284 [ipsec]
> [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
> [<f863ad50>] ? ipsec_sa_init+0x4f7/0x8ce [ipsec]
> [<c046c493>] ? fn_hash_lookup+0x38/0x89
> [<c04686a0>] ? __inet_dev_addr_type+0x71/0xa8
> [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
> [<f864a29b>] ? pfkey_add_parse+0x1c2/0x6eb [ipsec]
> [<c042a962>] ? __alloc_skb+0x49/0xf8
> [<f864fc08>] ? pfkey_msg_parse+0x466/0x5ea [ipsec]
> [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
> [<f86481b2>] ? pfkey_msg_interp+0x236/0x29c [ipsec]
> [<f8647d34>] ? pfkey_sendmsg+0x2b1/0x3c1 [ipsec]
> [<c0424721>] ? sock_aio_write+0xe8/0xf5
> [<c04c145b>] ? do_page_fault+0x36c/0x6a9
> [<c016f61c>] ? do_sync_write+0xab/0xe9
> [<c0171f9c>] ? cp_new_stat64+0xe4/0xf6
> [<c013459a>] ? autoremove_wake_function+0x0/0x33
> [<c016f335>] ? fsnotify_access+0x4f/0x5a
> [<c016fd4f>] ? vfs_write+0x8d/0xad
> [<c016fe08>] ? sys_write+0x3b/0x60
> [<c0102f06>] ? syscall_call+0x7/0xb
> Code: 89 e5 83 ec 08 53 56 57 8b 55 0c 8b 4d 14 81 f9 80 00 00 00 72 03 c1
> e9 03 83 f9 20 74 0a 83 f9 18 74 05 b9 10 00 00 00 c1 e9 02 <89> 0a 8d 41 06
> 89 42 04 8b 75 10 8d 7a 08 fc 55 89 c8 f3 a5 8b
> EIP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec] SS:ESP 0068:f6115b2c
> ---[ end trace 72bde90d89f5c18c ]---
>
> Playing around with kernel features I finally found the switch to a working
> configuration in the following parameter:
> You have to disable CONFIG_FRAME_POINTER in the kernel hacking section
> (caption: Compile the kernel with frame pointers).
> I was able to reproduce the bug up to current kernel and openswan versions
> (last checked: kernel 2.6.31.13 and openswan 2.6.24). I couldn't check
> openswan 2.6.25 due to an other problem but never mind. Configuring
> CONFIG_FRAME_POINTER=y always gave me the kernel bug and changing it to
> disabled did the trick.
Thanks for that. That explains it. We have known about the crash in
openswan own crypto routines for a while and we have been recommending
users switch to the kernel cryptoapi.
This infotmation should help someone (:-) fix the assembler to work with
frame pointers,
Thanks,
Davidm
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Users
mailing list