[dm-crypt] cryptsetup problem with memory allocation

Belisko Marek marek.belisko at gmail.com
Tue Jul 8 08:22:57 CEST 2014


Hi Milan,

On Fri, Jul 4, 2014 at 6:44 PM, Milan Broz <gmazyland at gmail.com> wrote:
> On 07/04/2014 05:02 PM, Belisko Marek wrote:
>> Hi,
>>
>> On Tue, Jun 24, 2014 at 1:12 AM, Alasdair G Kergon <agk at redhat.com> wrote:
>>>>> I track it down that malloc fails (ENONMEM) in libdevmapper and then
>>>>> _dm_check_versions() fails when creating dm task (dmt =
>>>>> dm_task_create(DM_DEVICE_LIST_VERSIONS).
>>>
>>> After updating to the most recent version you are able to use,
>>> run it under strace and let us see the relevant output (at least the
>>> failing system call itself, what leads up to it, including all early
>>> memory-related system calls and DM ioctls) and any environment variables
>>> set that could modify behaviour.
>> when update to latest cryptsetup (1.64) I can see different error as with 1.62:
>> ioctl(6, DM_VERSION, 0x1e340)     = -1 EACCES (Permission denied)
>> So it seems that gcrypt probably drop privileges (as running on
>> embedded system I'm root)?
>
> Just guess, but do you have gcrypt compiled with Posix capabilities?
>
> If so, it cannot work. See this comment in cryptsetup gcrypt wrapper
> (you can workaround it by uncommenting this #if and rebuild cryptsetup)
#if 1 fixed my problem. Thanks for help!
>
> lib/crypto_backend/crypto_gcrypt.c:
>
> /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
>  * it drops all privileges during secure memory initialisation.
>  * For now, the only workaround is to disable secure memory in gcrypt.
>  * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
>  * and it locks its memory space anyway.
>  */
> #if 0
>                 gcry_control (GCRYCTL_DISABLE_SECMEM);
>                 crypto_backend_secmem = 0;
> #else
>
>                 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
>                 gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
>                 gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
> #endif
>
> Milan

BR,

marek

-- 
as simple and primitive as possible
-------------------------------------------------
Marek Belisko - OPEN-NANDRA
Freelance Developer

Ruska Nova Ves 219 | Presov, 08005 Slovak Republic
Tel: +421 915 052 184
skype: marekwhite
twitter: #opennandra
web: http://open-nandra.com


More information about the dm-crypt mailing list