VIA/ACE PadLock integration with crypto(9).
Pawel Jakub Dawidek
pjd at FreeBSD.org
Thu Aug 18 16:20:40 GMT 2005
On Thu, Aug 18, 2005 at 04:03:59PM +0300, Maxim Sobolev wrote:
+> > +> >Here is the patch:
+> > +> > http://people.freebsd.org/~pjd/patches/cryptodev.c.patch
+> > +> >And this bug actually is a local DoS on machines which have HW crypto
+> > +> >and crytodev.ko loaded.
+> > +>
+> > +>
+> > +> Thanks! It fixes my RELENG_6 machine. I guess this goes all the way back to RELENG_4 as well then no ?
+> >
+> > Most likely...
+>
+> It probably worth a security advisory.
It's only a local DoS on systems with crypto HW and /dev/crypto.
Note that /dev/crypto is not needed for fast_ipsec(4) with HW
acceleration, nor for geli(8).
Workaround is also very simple:
# chmod 600 /dev/crypto
or:
# kldunload cryptodev
and you can still do crypto work in software.
Administrators should not forget about jails as well, where /dev/crypto
is visible by default.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050818/2006b588/attachment.bin
More information about the freebsd-current
mailing list