Bug#1006802: cryptdisks_stop should process crtypttab entries in reverse order

Sat, 05 Mar 2022 04:15:14 -0800 

Package: cryptsetup
Version: 2:2.3.7-1+deb11u1

### Issue description

When creating nested dmcrypt mappings in /etc/crtypttab,
cryptdisks_start processes them from top to bottom.

The means that a some encrypted base device will be unlocked before any
nested encrypted devices based on it.

While this works fine for unlocking the encrypted disks, cryptdisk_stop
tries to remove the dmcrypt mappings in the same order which is clearly
wrong: It tries to remove the base mapping before any mappings bases on
it, which will fail because the base mapping is "busy" at that point.
Steps for reproducing the issue

Here is an example of a crypttab demonstating the issue:

# <target name>         <source device>
<key file>      <options> swap-myhost-pre4-dec     PARTUUID=88888888-02
                           unused_dummy
plain,noearly,cipher=aes-cbc-plain64,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre3-dec     /dev/mapper/swap-myhost-pre4-dec
  unused_dummy
plain,noearly,cipher=blowfish-pcbc-essiv:sha256,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre2-dec     /dev/mapper/swap-myhost-pre3-dec
  unused_dummy
plain,noearly,cipher=aes-ctr-plain64,size=128,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-pre-dec      /dev/mapper/swap-myhost-pre2-dec
  unused_dummy
plain,noearly,cipher=aes-xts-benbi,size=256,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw
swap-myhost-dec          /dev/mapper/swap-myhost-pre-dec
  unused_dummy
plain,swap,noearly,cipher=serpent-pcbc-essiv:sha256,size=256,hash=sha256,keyscript=/etc/libexec/gen_hq_rand_psw

The referenced key script (/etc/libexec/gen_hq_rand_psw) and another
helper script files used by it
(/etc/libexec/cached/keygen-octets-by-harvesting-entropy) have been
attached to this report.

### Expected behaviour

The cryptdisks_stop script should process the crypttab entries in the
reverse order of how cryptdisks_start processes them.

### External links

The original bug report, delivered to upstream first by mistake:

https://gitlab.com/cryptsetup/cryptsetup/-/issues/719#note_863814204

Attachment: gen_hq_rand_psw
Description: Binary data

Attachment: keygen-octets-by-harvesting-entropy
Description: Binary data

Reply via email to