CVE-2024-26584

net: tls: handle backlogging of crypto requests

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: tls: handle backlogging of crypto requests

Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our
requests to the crypto API, crypto_aead_{encrypt,decrypt} can return
-EBUSY instead of -EINPROGRESS in valid situations. For example, when
the cryptd queue for AESNI is full (easy to trigger with an
artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued
to the backlog but still processed. In that case, the async callback
will also be called twice: first with err == -EINPROGRESS, which it
seems we can just ignore, then with err == 0.

Compared to Sabrina's original patch this version uses the new
tls_*crypt_async_wait() helpers and converts the EBUSY to
EINPROGRESS to avoid having to modify all the error handling
paths. The handling is identical.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: manejar el retraso de solicitudes criptográficas Dado que estamos configurando el indicador CRYPTO_TFM_REQ_MAY_BACKLOG en nuestras solicitudes a la API criptográfica, crypto_aead_{encrypt,decrypt} puede devolver -EBUSY en lugar de - EINPROGRESS en situaciones válidas. Por ejemplo, cuando la cola cryptd para AESNI está llena (fácil de activar con un cryptd.cryptd_max_cpu_qlen artificialmente bajo), las solicitudes se pondrán en cola en el trabajo pendiente, pero aún así se procesarán. En ese caso, la devolución de llamada asíncrona también se llamará dos veces: primero con err == -EINPROGRESS, que parece que podemos ignorar, luego con err == 0. En comparación con el parche original de Sabrina, esta versión usa el nuevo tls_*crypt_async_wait( ) ayuda y convierte EBUSY a EINPROGRESS para evitar tener que modificar todas las rutas de manejo de errores. El manejo es idéntico.

A flaw was found in the tls subsystem of the Linux kernel. When setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on requests to the crypto API, crypto_aead_encrypt and crypto_aead_decrypt functions can return -EBUSY instead of -EINPROGRESS in valid situations. This issue could lead to undefined behavior and a denial of service condition.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-02-21 CVE Published
2024-05-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-393: Return of Wrong Status Code
CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/a54667f6728c2714a400f3c884727da74b6d1717	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368	2024-05-25
https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72	2024-04-03
https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754	2024-02-23
https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694	2024-02-23
https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3	2024-02-10

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26584	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2265519	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 5.15.160 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 5.15.160"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.6.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.16 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.16 < 6.8"		en		Affected