CVE-2024-26584: Linux Kernel Vulnerability in net:tls Resolved - Handling Backlogging of Crypto Requests

Recently, a security vulnerability was identified and resolved in the Linux kernel, specifically in the net:tls area. This vulnerability allowed for backlogging of crypto requests, which could potentially lead to a compromise in system security. The vulnerability has been assigned the identifier CVE-2024-26584. In this blog post, we will provide an overview of the vulnerability, discuss its implications, and detail how it has been resolved.

Background on the Vulnerability

This specific vulnerability exists because when setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our crypto API requests, the functions crypto_aead_encrypt and crypto_aead_decrypt can return -EBUSY instead of -EINPROGRESS in valid situations.

For example, when the cryptd queue for AESNI is full (which can be triggered easily with an artificially low cryptd.cryptd_max_cpu_qlen), requests will still be enqueued to the backlog but will still be processed. In this case, the async callback will also be called twice: first with err == -EINPROGRESS, which can be ignored, then with err == .

The vulnerability was originally discovered by Sabrina, who provided a patch to modify the behavior. The current solution, however, uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling remains identical, but the vulnerability is resolved.

Details of the Solution

You can find the original patch submitted by Sabrina [here](link to the original patch). The updated solution leverages the tls_*crypt_async_wait() helpers and the handling is identical.

The updated code snippet

if (should_wait) {
        err = tls_crypt_async_wait(req);
        if (unlikely(err == -EBUSY)) {
            /* We got backlogged, but still completed */
            err = -EINPROGRESS;
        }
    } else {
        err = -EINPROGRESS;
    }

    return err;
}

By using tls_*crypt_async_wait() helpers and adjusting the error handling, the patch ensures that crypto requests are properly handled, even when backlogged, and fixing the CVE-2024-26584 vulnerability.

Conclusion

It's essential to keep your Linux kernel up-to-date for security reasons, as well as maintaining the overall stability and performance of your system. Therefore, it is highly recommended to apply the security patch for CVE-2024-26584 as soon as possible.

For more details about the vulnerability and its resolution, you can refer to the [official Linux kernel mailing list post](link to the mailing list post) where the issue has been addressed, or check out the [original Sabrina's patch](link to the original patch), and [the updated solution](link to the updated solution) on GitHub.

Timeline

Published on: 02/21/2024 15:15:09 UTC
Last modified on: 04/30/2024 19:35:07 UTC