[Openswan Users] Cause of kernel bug in AES_set_key

David McCullough david_mccullough at mcafee.com
Mon Apr 12 19:46:18 EDT 2010


Jivin Armin Krauss lays it down ...
> Hello everybody,
> I've been struggling with the following bug for quite a while and finally 
> found the kernel feature causing it. Since I've seen others experiencing the 
> same problem I would like to share my knowledge.
> The bug occurs for me using a vanilla kernel in conjunction with openswan 
> and klips. I've seen it first with kernel version 2.6.23 and openswan 2.6.22 
> if I'm not mistaking. It results in the following bug right after starting 
> openswan:
> 
> BUG: unable to handle kernel NULL pointer dereference at 00000000
> IP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec]
> *pde = 00000000
> Oops: 0002 [#1] SMP
> last sysfs file: /sys/devices/platform/w83627ehf.656/cpu0_vid
> Modules linked in: lp tun capi kernelcapi capifs ipt_MASQUERADE xt_MARK 
> ipt_REDIRECT xt_limit xt_state ipt_REJECT ipt_LOG iptable_nat iptable_mangle 
> nf_nat_ftp nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack_ftp 
> nf_conntrack ipsec serpent blowfish twofish twofish_common xcbc cbc md5 
> sha256_generic sha512_generic des_generic xt_TCPMSS xt_tcpmss xt_tcpudp 
> iptable_filter ip_tables x_tables pppoe pppox ppp_generic slhc dm_snapshot 
> dm_round_robin dm_multipath w83627ehf ov511 ovcamchip hwmon_vid eeprom 
> ide_cd_mod snd_via82xx k8temp hwmon snd_ac97_codec snd_pcsp ac97_bus 
> snd_mpu401_uart snd_usb_audio snd_usb_lib via_rhine snd_rawmidi i2c_viapro 
> gspca_sunplus gspca_main videodev v4l1_compat parport_pc parport
> 
> Pid: 4417, comm: pluto Not tainted (2.6.28.10-2 #1) MS-7312
> EIP: 0060:[<f865a6ad>] EFLAGS: 00210212 CPU: 0
> EIP is at aes_32+0x3/0x496 [ipsec]
> EAX: f67cf000 EBX: 00000208 ECX: 00000004 EDX: 00000000
> ESI: f67cf800 EDI: f67cf208 EBP: f6115b40 ESP: f6115b2c
>  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process pluto (pid: 4417, ti=f6114000 task=f7033600 task.ti=f6114000)
> Stack:
>  f67cf208 f67cf800 00000208 f6115b5c c016d104 f6115b50 00200212 f8658f53
>  00000000 f6115b58 f8658c86 f6115b7c f8655cfa 00000010 00000000 f67cf000
>  f868426c 00000003 f67cf800 f864cf51 f6115c74 f863ad50 f6115e64 5d62442d
> Call Trace:
>  [<c016d104>] ? __kmalloc+0x77/0xae
>  [<f8658f53>] ? AES_set_key+0xa/0x17 [ipsec]
>  [<f8658c86>] ? _aes_set_key+0xf/0x19 [ipsec]
>  [<f8655cfa>] ? ipsec_alg_enc_key_create+0x1cf/0x284 [ipsec]
>  [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
>  [<f863ad50>] ? ipsec_sa_init+0x4f7/0x8ce [ipsec]
>  [<c046c493>] ? fn_hash_lookup+0x38/0x89
>  [<c04686a0>] ? __inet_dev_addr_type+0x71/0xa8
>  [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
>  [<f864a29b>] ? pfkey_add_parse+0x1c2/0x6eb [ipsec]
>  [<c042a962>] ? __alloc_skb+0x49/0xf8
>  [<f864fc08>] ? pfkey_msg_parse+0x466/0x5ea [ipsec]
>  [<f864cf51>] ? pfkey_key_process+0x0/0x19f [ipsec]
>  [<f86481b2>] ? pfkey_msg_interp+0x236/0x29c [ipsec]
>  [<f8647d34>] ? pfkey_sendmsg+0x2b1/0x3c1 [ipsec]
>  [<c0424721>] ? sock_aio_write+0xe8/0xf5
>  [<c04c145b>] ? do_page_fault+0x36c/0x6a9
>  [<c016f61c>] ? do_sync_write+0xab/0xe9
>  [<c0171f9c>] ? cp_new_stat64+0xe4/0xf6
>  [<c013459a>] ? autoremove_wake_function+0x0/0x33
>  [<c016f335>] ? fsnotify_access+0x4f/0x5a
>  [<c016fd4f>] ? vfs_write+0x8d/0xad
>  [<c016fe08>] ? sys_write+0x3b/0x60
>  [<c0102f06>] ? syscall_call+0x7/0xb
> Code: 89 e5 83 ec 08 53 56 57 8b 55 0c 8b 4d 14 81 f9 80 00 00 00 72 03 c1 
> e9 03 83 f9 20 74 0a 83 f9 18 74 05 b9 10 00 00 00 c1 e9 02 <89> 0a 8d 41 06 
> 89 42 04 8b 75 10 8d 7a 08 fc 55 89 c8 f3 a5 8b
> EIP: [<f865a6ad>] aes_32+0x3/0x496 [ipsec] SS:ESP 0068:f6115b2c
> ---[ end trace 72bde90d89f5c18c ]---
> 
> Playing around with kernel features I finally found the switch to a working 
> configuration in the following parameter:
> You have to disable CONFIG_FRAME_POINTER in the kernel hacking section 
> (caption: Compile the kernel with frame pointers).
> I was able to reproduce the bug up to current kernel and openswan versions 
> (last checked: kernel 2.6.31.13 and openswan 2.6.24). I couldn't check 
> openswan 2.6.25 due to an other problem but never mind. Configuring 
> CONFIG_FRAME_POINTER=y always gave me the kernel bug and changing it to 
> disabled did the trick.

Thanks for that.  That explains it.  We have known about the crash in
openswan own crypto routines for a while and we have been recommending
users switch to the kernel cryptoapi.

This infotmation should help someone (:-) fix the assembler to work with
frame pointers,

Thanks,
Davidm

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list