nvd-json-data-feeds/CVE-2024/CVE-2024-500xx/CVE-2024-50047.json

{
  "id": "CVE-2024-50047",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-10-21T20:15:17.507",
  "lastModified": "2024-10-23T22:16:21.783",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in async decryption\n\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\n\nReproducer:\n    # mount.cifs -o ...,seal,esize=1 //srv/share /mnt\n    # dd if=/mnt/largefile of=/dev/null\n    ...\n    [  194.196391] ==================================================================\n    [  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n    [  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n    [  194.197707]\n    [  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n    [  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n    [  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n    [  194.200032] Call Trace:\n    [  194.200191]  <TASK>\n    [  194.200327]  dump_stack_lvl+0x4e/0x70\n    [  194.200558]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.200809]  print_report+0x174/0x505\n    [  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n    [  194.201352]  ? srso_return_thunk+0x5/0x5f\n    [  194.201604]  ? __virt_addr_valid+0xdf/0x1c0\n    [  194.201868]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.202128]  kasan_report+0xc8/0x150\n    [  194.202361]  ? gf128mul_4k_lle+0xc1/0x110\n    [  194.202616]  gf128mul_4k_lle+0xc1/0x110\n    [  194.202863]  ghash_update+0x184/0x210\n    [  194.203103]  shash_ahash_update+0x184/0x2a0\n    [  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10\n    [  194.203651]  ? srso_return_thunk+0x5/0x5f\n    [  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340\n    [  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140\n    [  194.204434]  crypt_message+0xec1/0x10a0 [cifs]\n    [  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]\n    [  194.208507]  ? srso_return_thunk+0x5/0x5f\n    [  194.209205]  ? srso_return_thunk+0x5/0x5f\n    [  194.209925]  ? srso_return_thunk+0x5/0x5f\n    [  194.210443]  ? srso_return_thunk+0x5/0x5f\n    [  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]\n    [  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n    [  194.214670]  ? srso_return_thunk+0x5/0x5f\n    [  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]\n\nThis is because TFM is being used in parallel.\n\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\n\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it's always going to be a synchronous operation."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corregir UAF en descifrado asincr\u00f3nico Al realizar un descifrado asincr\u00f3nico (lectura grande), se produce un bloqueo con un m\u00e9todo slab-use-after-free en la API de cifrado. Reproductor: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ===================================================================== [ 194.196844] ERROR: KASAN: slab-use-after-free en gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888112bd0448 por la tarea kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 No contaminado 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Cola de trabajo: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Seguimiento de llamadas: [ 194.200191]  [ [194.200327] dump_stack_lvl+0x4e/0x70 [194.200558] ? gf128mul_4k_lle+0xc1/0x110 [194.200809] print_report+0x174/0x505 [194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [194.201352] ? srso_return_thunk+0x5/0x5f [194.201604] ? __virt_addr_valid+0xdf/0x1c0 [194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] Esto se debe a que TFM se est\u00e1 utilizando en paralelo. Solucione esto asignando un nuevo TFM AEAD para el descifrado asincr\u00f3nico, pero conserve el existente para los casos de LECTURA sincr\u00f3nica (similar a lo que se hace en smb3_calc_signature()). Tambi\u00e9n elimine las llamadas a aead_request_set_callback() y crypto_wait_req() ya que siempre ser\u00e1 una operaci\u00f3n sincr\u00f3nica."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "6.6.57",
              "matchCriteriaId": "D50B3F37-2EA9-4348-B50C-34DCAAF2076E"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.7",
              "versionEndExcluding": "6.11.4",
              "matchCriteriaId": "AA84D336-CE9A-4535-B901-1AD77EC17C34"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/538c26d9bf70c90edc460d18c81008a4e555925a",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    }
  ]
}