CVE-2024-27061

sun8icecipherunprepare should be called before cryptofinalizeskcipherrequest, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in cryptofinalizerequest.

Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP

This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8icecipherdoone+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373

Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dumpbacktrace+0x9c/0x128 showstack+0x20/0x38 dumpstacklvl+0x48/0x60 printreport+0xf8/0x5d8 kasanreport+0x90/0xd0 _asanload8+0x9c/0xc0 sun8icecipherdoone+0x6e8/0xf80 [sun8ice] cryptopumpwork+0x354/0x620 [cryptoengine] kthreadworkerfn+0x244/0x498 kthread+0x168/0x178 retfromfork+0x10/0x20

Allocated by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansaveallocinfo+0x24/0x38 _kasankmalloc+0xd4/0xd8 _kmalloc+0x74/0x1d0 algtestskcipher+0x90/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfromfork+0x10/0x20

Freed by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansavefreeinfo+0x38/0x60 _kasanslabfree+0x100/0x170 slabfreefreelisthook+0xd4/0x1e8 _kmemcachefree+0x15c/0x290 kfree+0x74/0x100 kfreesensitive+0x80/0xb0 algtestskcipher+0x12c/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfrom_fork+0x10/0x20

The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4136212ab18eb3dce6efb6e18108765c36708f71

Fixed

dc60b25540c82fc4baa95d1458ae96ead21859e0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4136212ab18eb3dce6efb6e18108765c36708f71

Fixed

51a7d338c212e0640b1aca52ba6590d5bea49879

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4136212ab18eb3dce6efb6e18108765c36708f71

Fixed

183420038444547c149a0fc5f58e792c2752860c

Affected versions

v6.*

v6.5

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8-rc1

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.24

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.12