CVE-2024-27061

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27061
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27061.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-27061
Downstream
Published
2024-05-01T13:00:17Z
Modified
2025-10-17T02:51:08.452038Z
Summary
crypto: sun8i-ce - Fix use after free in unprepare
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: sun8i-ce - Fix use after free in unprepare

sun8icecipherunprepare should be called before cryptofinalizeskcipherrequest, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in cryptofinalizerequest.

Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP

This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8icecipherdoone+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373

Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dumpbacktrace+0x9c/0x128 showstack+0x20/0x38 dumpstacklvl+0x48/0x60 printreport+0xf8/0x5d8 kasanreport+0x90/0xd0 _asanload8+0x9c/0xc0 sun8icecipherdoone+0x6e8/0xf80 [sun8ice] cryptopumpwork+0x354/0x620 [cryptoengine] kthreadworkerfn+0x244/0x498 kthread+0x168/0x178 retfromfork+0x10/0x20

Allocated by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansaveallocinfo+0x24/0x38 _kasankmalloc+0xd4/0xd8 _kmalloc+0x74/0x1d0 algtestskcipher+0x90/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfromfork+0x10/0x20

Freed by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansavefreeinfo+0x38/0x60 _kasanslabfree+0x100/0x170 slabfreefreelisthook+0xd4/0x1e8 _kmemcachefree+0x15c/0x290 kfree+0x74/0x100 kfreesensitive+0x80/0xb0 algtestskcipher+0x12c/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfrom_fork+0x10/0x20

The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4136212ab18eb3dce6efb6e18108765c36708f71
Fixed
dc60b25540c82fc4baa95d1458ae96ead21859e0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4136212ab18eb3dce6efb6e18108765c36708f71
Fixed
51a7d338c212e0640b1aca52ba6590d5bea49879
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4136212ab18eb3dce6efb6e18108765c36708f71
Fixed
183420038444547c149a0fc5f58e792c2752860c

Affected versions

v6.*

v6.5
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8-rc1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.24
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.12