Hi,
I've been tracking down the segfault reported in debian bug #381973
(http://bugs.debian.org/381973). See the bug report for steps on how to
reproduce it.
It seems to be a problem with the LUKS part of cryptsetup, more
specifically:
During "cryptsetup luksOpen" with the previously set 448 bit (56 byte)
key, we'll have the following call chain:
main -> action_luksOpen -> crypt_job -> __crypt_luks_open ->
LUKS_open_any_key -> LUKS_open_key -> AF_merge
AF_merge is being called as:
AF_merge(AfKey,mk->key,mk->keyLength,hdr->keyblock[keyIndex].stripes);
mk->keyLength is here (correctly) set to 56, and mk->key is a statically
allocated 32 byte buffer (defined as part of struct luks_masterkey in
luks.h).
This will lead the last call to XORblock in AF_merge to scribble 56 - 32
bytes outside that buffer, thus corrupting the stack and leading to
interesting crashes in unrelated places later.
I'm not familiar enough with the LUKS code to suggest a fix...Clemens?
--
David Härdeman
