CVE-2024-27061
Vulnerability from cvelistv5
Published
2024-05-01 13:00
Modified
2024-12-19 08:53
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce - Fix use after free in unprepare sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)
Impacted products
Vendor Product Version
Linux Linux Version: 6.6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27061",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-17T15:06:02.450614Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-17T15:06:18.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.883Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dc60b25540c82fc4baa95d1458ae96ead21859e0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/51a7d338c212e0640b1aca52ba6590d5bea49879"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/183420038444547c149a0fc5f58e792c2752860c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc60b25540c82fc4baa95d1458ae96ead21859e0",
              "status": "affected",
              "version": "4136212ab18eb3dce6efb6e18108765c36708f71",
              "versionType": "git"
            },
            {
              "lessThan": "51a7d338c212e0640b1aca52ba6590d5bea49879",
              "status": "affected",
              "version": "4136212ab18eb3dce6efb6e18108765c36708f71",
              "versionType": "git"
            },
            {
              "lessThan": "183420038444547c149a0fc5f58e792c2752860c",
              "status": "affected",
              "version": "4136212ab18eb3dce6efb6e18108765c36708f71",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ce - Fix use after free in unprepare\n\nsun8i_ce_cipher_unprepare should be called before\ncrypto_finalize_skcipher_request, because client callbacks may\nimmediately free memory, that isn\u0027t needed anymore. But it will be\nused by unprepare after free. Before removing prepare/unprepare\ncallbacks it was handled by crypto engine in crypto_finalize_request.\n\nUsually that results in a pointer dereference problem during a in\ncrypto selftest.\n Unable to handle kernel NULL pointer dereference at\n                                      virtual address 0000000000000030\n Mem abort info:\n   ESR = 0x0000000096000004\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x04: level 0 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000\n [0000000000000030] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n\nThis problem is detected by KASAN as well.\n ==================================================================\n BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\n Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373\n\n Hardware name: Pine64 PinePhone (1.2) (DT)\n Call trace:\n  dump_backtrace+0x9c/0x128\n  show_stack+0x20/0x38\n  dump_stack_lvl+0x48/0x60\n  print_report+0xf8/0x5d8\n  kasan_report+0x90/0xd0\n  __asan_load8+0x9c/0xc0\n  sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\n  crypto_pump_work+0x354/0x620 [crypto_engine]\n  kthread_worker_fn+0x244/0x498\n  kthread+0x168/0x178\n  ret_from_fork+0x10/0x20\n\n Allocated by task 379:\n  kasan_save_stack+0x3c/0x68\n  kasan_set_track+0x2c/0x40\n  kasan_save_alloc_info+0x24/0x38\n  __kasan_kmalloc+0xd4/0xd8\n  __kmalloc+0x74/0x1d0\n  alg_test_skcipher+0x90/0x1f0\n  alg_test+0x24c/0x830\n  cryptomgr_test+0x38/0x60\n  kthread+0x168/0x178\n  ret_from_fork+0x10/0x20\n\n Freed by task 379:\n  kasan_save_stack+0x3c/0x68\n  kasan_set_track+0x2c/0x40\n  kasan_save_free_info+0x38/0x60\n  __kasan_slab_free+0x100/0x170\n  slab_free_freelist_hook+0xd4/0x1e8\n  __kmem_cache_free+0x15c/0x290\n  kfree+0x74/0x100\n  kfree_sensitive+0x80/0xb0\n  alg_test_skcipher+0x12c/0x1f0\n  alg_test+0x24c/0x830\n  cryptomgr_test+0x38/0x60\n  kthread+0x168/0x178\n  ret_from_fork+0x10/0x20\n\n The buggy address belongs to the object at ffff00000dcdc000\n  which belongs to the cache kmalloc-256 of size 256\n The buggy address is located 64 bytes inside of\n  freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:53:36.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc60b25540c82fc4baa95d1458ae96ead21859e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/51a7d338c212e0640b1aca52ba6590d5bea49879"
        },
        {
          "url": "https://git.kernel.org/stable/c/183420038444547c149a0fc5f58e792c2752860c"
        }
      ],
      "title": "crypto: sun8i-ce - Fix use after free in unprepare",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-27061",
    "datePublished": "2024-05-01T13:00:17.611Z",
    "dateReserved": "2024-02-19T14:20:24.215Z",
    "dateUpdated": "2024-12-19T08:53:36.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27061\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T13:15:50.593\",\"lastModified\":\"2024-11-21T09:03:46.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: sun8i-ce - Fix use after free in unprepare\\n\\nsun8i_ce_cipher_unprepare should be called before\\ncrypto_finalize_skcipher_request, because client callbacks may\\nimmediately free memory, that isn\u0027t needed anymore. But it will be\\nused by unprepare after free. Before removing prepare/unprepare\\ncallbacks it was handled by crypto engine in crypto_finalize_request.\\n\\nUsually that results in a pointer dereference problem during a in\\ncrypto selftest.\\n Unable to handle kernel NULL pointer dereference at\\n                                      virtual address 0000000000000030\\n Mem abort info:\\n   ESR = 0x0000000096000004\\n   EC = 0x25: DABT (current EL), IL = 32 bits\\n   SET = 0, FnV = 0\\n   EA = 0, S1PTW = 0\\n   FSC = 0x04: level 0 translation fault\\n Data abort info:\\n   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000\\n [0000000000000030] pgd=0000000000000000, p4d=0000000000000000\\n Internal error: Oops: 0000000096000004 [#1] SMP\\n\\nThis problem is detected by KASAN as well.\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\\n Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373\\n\\n Hardware name: Pine64 PinePhone (1.2) (DT)\\n Call trace:\\n  dump_backtrace+0x9c/0x128\\n  show_stack+0x20/0x38\\n  dump_stack_lvl+0x48/0x60\\n  print_report+0xf8/0x5d8\\n  kasan_report+0x90/0xd0\\n  __asan_load8+0x9c/0xc0\\n  sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\\n  crypto_pump_work+0x354/0x620 [crypto_engine]\\n  kthread_worker_fn+0x244/0x498\\n  kthread+0x168/0x178\\n  ret_from_fork+0x10/0x20\\n\\n Allocated by task 379:\\n  kasan_save_stack+0x3c/0x68\\n  kasan_set_track+0x2c/0x40\\n  kasan_save_alloc_info+0x24/0x38\\n  __kasan_kmalloc+0xd4/0xd8\\n  __kmalloc+0x74/0x1d0\\n  alg_test_skcipher+0x90/0x1f0\\n  alg_test+0x24c/0x830\\n  cryptomgr_test+0x38/0x60\\n  kthread+0x168/0x178\\n  ret_from_fork+0x10/0x20\\n\\n Freed by task 379:\\n  kasan_save_stack+0x3c/0x68\\n  kasan_set_track+0x2c/0x40\\n  kasan_save_free_info+0x38/0x60\\n  __kasan_slab_free+0x100/0x170\\n  slab_free_freelist_hook+0xd4/0x1e8\\n  __kmem_cache_free+0x15c/0x290\\n  kfree+0x74/0x100\\n  kfree_sensitive+0x80/0xb0\\n  alg_test_skcipher+0x12c/0x1f0\\n  alg_test+0x24c/0x830\\n  cryptomgr_test+0x38/0x60\\n  kthread+0x168/0x178\\n  ret_from_fork+0x10/0x20\\n\\n The buggy address belongs to the object at ffff00000dcdc000\\n  which belongs to the cache kmalloc-256 of size 256\\n The buggy address is located 64 bytes inside of\\n  freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: sun8i-ce: se corrige el use after free en unprepare. Se debe llamar a sun8i_ce_cipher_unprepare antes de crypto_finalize_skcipher_request, porque las devoluciones de llamada del cliente pueden liberar inmediatamente memoria, que ya no es necesaria. Pero ser\u00e1 utilizado por los que no est\u00e9n preparados despu\u00e9s de ser gratuito. Antes de eliminar las devoluciones de llamada de preparaci\u00f3n/despreparaci\u00f3n, el motor criptogr\u00e1fico lo manejaba en crypto_finalize_request. Por lo general, esto resulta en un problema de desreferencia del puntero durante una autoprueba en criptograf\u00eda. No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000030 Informaci\u00f3n de cancelaci\u00f3n de memoria: ESR = 0x0000000096000004 EC = 0x25: DABT (EL actual), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: falla de traducci\u00f3n de nivel 0 Informaci\u00f3n de cancelaci\u00f3n de datos: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 usuario pgtable: p\u00e1ginas de 4k, VA de 48 bits, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=000000000000000000 Error interno: Ups: 0000000096000004 [# 1] SMP Este problema tambi\u00e9n lo detecta KASAN. ==================================================== ================ ERROR: KASAN: slab-use-after-free en sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff00000dcdc040 por tarea 1c15000.crypto-/ 373 Nombre del hardware: Pine64 PinePhone (1.2) (DT) Rastreo de llamadas: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 _cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Asignado por tarea 379: kasan_save_stack+0x3c/0x68 c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/ 0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Liberado por la tarea 379: 3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/ 0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_SENSITIVE+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/ 0x20 La direcci\u00f3n con errores pertenece al objeto en ffff00000dcdc000 que pertenece al cach\u00e9 kmalloc-256 de tama\u00f1o 256. La direcci\u00f3n con errores se encuentra a 64 bytes dentro de la regi\u00f3n liberada de 256 bytes [ffff00000dcdc000, ffff00000dcdc100)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/183420038444547c149a0fc5f58e792c2752860c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/51a7d338c212e0640b1aca52ba6590d5bea49879\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc60b25540c82fc4baa95d1458ae96ead21859e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/183420038444547c149a0fc5f58e792c2752860c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/51a7d338c212e0640b1aca52ba6590d5bea49879\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/dc60b25540c82fc4baa95d1458ae96ead21859e0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.