CVE-2024-26800

tls: fix use-after-free on failed backlog decryption

Severity Score

4.7

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige el use-after-free en el descifrado fallido del trabajo pendiente Cuando la solicitud de descifrado va al trabajo pendiente y crypto_aead_decrypt devuelve -EBUSY, tls_do_decryption esperará hasta que se hayan completado todos los descifrados asíncronos. Si uno de ellos falla, tls_do_decryption devolverá -EBADMSG y tls_decrypt_sg salta a la ruta del error, liberando todas las páginas. Pero las páginas se pasaron a la devolución de llamada asíncrona y tls_decrypt_done ya las publicó. El único caso asíncrono verdadero es cuando crypto_aead_decrypt devuelve -EINPROGRESS. Con -EBUSY, ya esperamos para poder decirle a tls_sw_recvmsg que los datos están disponibles para copia inmediata, pero debemos notificar a tls_decrypt_sg (a través del nuevo indicador ->async_done) que la memoria ya ha sido liberada.

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.

Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-12-19 CVE Updated
2024-12-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754	Vuln. Introduced
https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694	Vuln. Introduced
https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe	2024-03-06
https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1	2024-03-06
https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89	2024-04-03
https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0	2024-02-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.18 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.18 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7.6 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7.6 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.160 Search vendor "Linux" for product "Linux Kernel" and version "5.15.160"		en		Affected