lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2025081250-slaw-seltzer-4650@gregkh>
Date: Tue, 12 Aug 2025 10:51:37 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: William Liu <will@...lsroot.io>
Cc: "stable@...r.kernel.org" <stable@...r.kernel.org>,
	"sd@...asysnail.net" <sd@...asysnail.net>,
	Jakub Kicinski <kuba@...nel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	Savy <savy@...t3mfailure.io>,
	"john.fastabend@...il.com" <john.fastabend@...il.com>,
	"borisp@...dia.com" <borisp@...dia.com>
Subject: Re: [BUG] Missing backport for UAF fix in interaction between
 tls_decrypt_sg and cryptd_queue_worker

On Mon, Aug 11, 2025 at 05:03:47PM +0000, William Liu wrote:
> Hi all,
> 
> Commit 41532b785e (tls: separate no-async decryption request handling from async) [1] actually covers a UAF read and write bug in the kernel, and should be backported to 6.1. As of now, it has only been backported to 6.6, back from the time when the patch was committed. The commit mentions a non-reproducible UAF that was previously observed, but we managed to hit the vulnerable case.
> 
> The vulnerable case is when a user wraps an existing crypto algorithm (such as gcm or ghash) in cryptd. By default, cryptd-wrapped algorithms have a higher priority than the base variant. tls_decrypt_sg allocates the aead request, and triggers the crypto handling with tls_do_decryption. When the crypto is handled by cryptd, it gets dispatched to a worker that handles it and initially returns EINPROGRESS. While older LTS versions (5.4, 5.10, and 5.15) seem to have an additional crypto_wait_req call in those cases, 6.1 just returns success and frees the aead request. The cryptd worker could still be operating in this case, which causes a UAF. 
> 
> However, this vulnerability only occurs when the CPU is without AVX support (perhaps this is why there were reproducibility difficulties). With AVX, aesni_init calls simd_register_aeads_compat to force the crypto subsystem to use the SIMD version and avoids the async issues raised by cryptd. While I doubt many people are using host systems without AVX these days, this environment is pretty common in VMs when QEMU uses KVM without using the "-cpu host" flag.
> 
> The following is a repro, and can be triggered from unprivileged users. Multishot KASAN shows multiple UAF reads and writes, and ends up panicking the system with a null dereference.

As you can test this, please provide a working backport of that commit
to the 6.1.y tree if you wish to see it applied to that kernel version
as it does not apply cleanly as-is.

Same for older kernel versions if you think it should be applied there
as well.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ