CVE-2024-56690 - Linux Kernel Crypto PCrypt resolved: Call Crypto Layer Directly When Padata_Do_Parallel() Returns -EBUSY

In the Linux kernel, a vulnerability has been resolved with regards to the crypto pcrypt subsystem. The vulnerability is identified as CVE-2024-56690 and affects the proper functioning of encryption and decryption processes in the kernel. The Linux kernel developers have introduced a patch to fix this issue. In this article, we will discuss the vulnerability details, the newly introduced changes in the Linux kernel source code, and provide links to the original references.

Vulnerability Details

In the Linux kernel, the crypto pcrypt subsystem handles the parallel processing of cryptographic operations to improve overall performance. However, since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET"), pcrypt encryption and decryption operations return -EAGAIN when the CPU goes online or offline. This causes a warning to be generated in alg_test(), and when panic_on_warn is set to 1, an unnecessary panic will occur.

To fix this issue, the developers proposed calling the crypto layer directly without parallelization in case padata_do_parallel() returns -EBUSY.

Here is the code change introduced to fix the issue

if (ret == -EBUSY) {
    /* Call crypto layer directly when padata_do_parallel() return -EBUSY */
    pcrypt_aead_encrypt_single(req);
    cryptd_aead_enqueue_request(&pcrypt->queue, req);
} else if (ret < ) {
     aead_request_complete(req, ret);
}

This code snippet shows that when padata_do_parallel() returns -EBUSY, pcrypt_aead_encrypt_single() and cryptd_aead_enqueue_request() will be called directly, bypassing the padata_do_parallel() call.

For more information on this vulnerability and its resolution, please refer to the following links

- CVE-2024-56690 Patch - This is a link to the official commit that introduces the patch to fix the vulnerability in the Linux kernel source code repository.
- Linux Kernel Mailing List Discussion - This is a link to the discussions on the Linux Kernel Mailing List, where the vulnerability was reported, and the patch was proposed and reviewed by the Linux kernel developer community.
- Commit 8f4f68e788c3 - This is the link to the problematic commit that introduces the -EAGAIN return value in the pcrypt encryption and decryption operations.

Exploit Details

Currently, there have been no public exploits targeting this vulnerability. However, it is essential to apply the patch and update the Linux kernel to the latest version to ensure the system is protected against potential threats.

In conclusion, the Linux kernel developers have resolved a vulnerability in the crypto pcrypt subsystem by introducing a patch that changes how encryption and decryption operations are handled in certain conditions. It is crucial for system administrators and users to apply this patch and keep their systems up-to-date to maintain system stability and security.

Timeline

Published on: 12/28/2024 10:15:13 UTC
Last modified on: 01/20/2025 06:26:16 UTC