VIA/ACE PadLock integration with crypto(9).

Pawel Jakub Dawidek pjd at FreeBSD.org
Thu Aug 18 16:20:40 GMT 2005


On Thu, Aug 18, 2005 at 04:03:59PM +0300, Maxim Sobolev wrote:
+> > +> >Here is the patch:
+> > +> >        http://people.freebsd.org/~pjd/patches/cryptodev.c.patch
+> > +> >And this bug actually is a local DoS on machines which have HW crypto
+> > +> >and crytodev.ko loaded.
+> > +> 
+> > +> 
+> > +> Thanks!  It fixes my RELENG_6 machine.  I guess this goes all the way back to RELENG_4 as well then no ?
+> > 
+> > Most likely...
+> 
+> It probably worth a security advisory.

It's only a local DoS on systems with crypto HW and /dev/crypto.
Note that /dev/crypto is not needed for fast_ipsec(4) with HW
acceleration, nor for geli(8).
Workaround is also very simple:

	# chmod 600 /dev/crypto

or:

	# kldunload cryptodev

and you can still do crypto work in software.

Administrators should not forget about jails as well, where /dev/crypto
is visible by default.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050818/2006b588/attachment.bin


More information about the freebsd-current mailing list