CVE-2024-26800
tls: fix use-after-free on failed backlog decryption
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
tls: fix use-after-free on failed backlog decryption
When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.
The only true async case is when crypto_aead_decrypt returns
-EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige el use-after-free en el descifrado fallido del trabajo pendiente Cuando la solicitud de descifrado va al trabajo pendiente y crypto_aead_decrypt devuelve -EBUSY, tls_do_decryption esperará hasta que se hayan completado todos los descifrados asíncronos. Si uno de ellos falla, tls_do_decryption devolverá -EBADMSG y tls_decrypt_sg salta a la ruta del error, liberando todas las páginas. Pero las páginas se pasaron a la devolución de llamada asíncrona y tls_decrypt_done ya las publicó. El único caso asíncrono verdadero es cuando crypto_aead_decrypt devuelve -EINPROGRESS. Con -EBUSY, ya esperamos para poder decirle a tls_sw_recvmsg que los datos están disponibles para copia inmediata, pero debemos notificar a tls_decrypt_sg (a través del nuevo indicador ->async_done) que la memoria ya ha sido liberada.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-04-04 CVE Published
- 2024-04-05 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754 | Vuln. Introduced | |
https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694 | Vuln. Introduced | |
https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.18 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.18 < 6.6.21" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.7.6 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7.6 < 6.7.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.160 Search vendor "Linux" for product "Linux Kernel" and version "5.15.160" | en |
Affected
|