Public bug reported:
Upstream bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/627
This is a latent bug in cryptsetup versions before 2.3.5 that surfaced
due to a change in the behavior of the kernel's TTY driver. The bug was
not triggered on Focal's 5.8 kernels, but it is on the 5.11 kernel that
was recently released, so this bug is now occurring on up-to-date Focal
systems.
This bug only occurs, at least in my testing, for interactively-entered
passphrases with lengths that are a multiple of 64. In that case,
cryptsetup reads one byte less than it should. (A test tool is
attached.) I would guess this bug won't be triggered for many people,
but for those who do happen to hit it, it's pretty bad. Volumes created
without the bug cannot be unlocked interactively with the bug.
cryptsetup will only read the passphrase correctly using a non-TTY stdin
or a key file. Also, volumes created interactively with the bug can be
unlocked without the bug, but only if the last byte of the passphrase is
omitted.
For example, on a current Focal host:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
$ uname -a
Linux ip-172-31-9-241 5.11.0-1016-aws #17~20.04.1-Ubuntu SMP Thu Aug 12
05:39:36 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ dpkg-query --no-pager -l cryptsetup-bin
ii cryptsetup-bin 2:2.2.2-3ubuntu2.3 amd64 disk encryption support -
command line tools
$ perl -pe chomp > test-passphrase
1234567891123456789212345678931234567894123456789512345678961234
$ wc test-passphrase
0 1 64 test-passphrase
$ dd if=/dev/zero of=test-block-dev bs=32M count=1
$ sudo cryptsetup luksFormat test-block-dev test-passphrase
WARNING!
========
This will overwrite data on test-block-dev irrevocably.
Are you sure? (Type uppercase yes): YES
$ sudo cryptsetup --tries 1 open test-block-dev testing
Enter passphrase for test-block-dev:
1234567891123456789212345678931234567894123456789512345678961234
No key available with this passphrase.
$ dd if=/dev/zero of=test-block-dev bs=32M count=1
$ sudo cryptsetup luksFormat test-block-dev
WARNING!
========
This will overwrite data on test-block-dev irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for test-block-dev:
1234567891123456789212345678931234567894123456789512345678961234
Verify passphrase:
1234567891123456789212345678931234567894123456789512345678961234
$ sudo cryptsetup --key-file test-passphrase open test-block-dev testing
No key available with this passphrase.
In contrast, both of the cryptsetup open commands succeed if running on a 5.8
kernel.
Fortunately the fix is straightforward so I hope we can get it released
to Focal. I'll send a merge request.
** Affects: cryptsetup (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "A test tool that shows what the buggy cryptsetup reads
from a TTY"
https://bugs.launchpad.net/bugs/1942003/+attachment/5521478/+files/tty-read-test.c
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942003
Title:
Partial interactive password read on Focal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1942003/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
