CVE-2024-26800

tls: fix use-after-free on failed backlog decryption

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tls: fix use-after-free on failed backlog decryption

When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.

The only true async case is when crypto_aead_decrypt returns
-EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige el use-after-free en el descifrado fallido del trabajo pendiente Cuando la solicitud de descifrado va al trabajo pendiente y crypto_aead_decrypt devuelve -EBUSY, tls_do_decryption esperará hasta que se hayan completado todos los descifrados asíncronos. Si uno de ellos falla, tls_do_decryption devolverá -EBADMSG y tls_decrypt_sg salta a la ruta del error, liberando todas las páginas. Pero las páginas se pasaron a la devolución de llamada asíncrona y tls_decrypt_done ya las publicó. El único caso asíncrono verdadero es cuando crypto_aead_decrypt devuelve -EINPROGRESS. Con -EBUSY, ya esperamos para poder decirle a tls_sw_recvmsg que los datos están disponibles para copia inmediata, pero debemos notificar a tls_decrypt_sg (a través del nuevo indicador ->async_done) que la memoria ya ha sido liberada.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-04-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754	Vuln. Introduced
https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694	Vuln. Introduced
https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe	2024-03-06
https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1	2024-03-06
https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89	2024-04-03
https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0	2024-02-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.18 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.18 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7.6 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7.6 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.160 Search vendor "Linux" for product "Linux Kernel" and version "5.15.160"		en		Affected