CVE-2024-27061

In the Linux kernel, the following vulnerability has been resolved:

crypto: sun8i-ce - Fix use after free in unprepare

sun8icecipherunprepare should be called before cryptofinalizeskcipherrequest, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in cryptofinalizerequest.

Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP

This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8icecipherdoone+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373

Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dumpbacktrace+0x9c/0x128 showstack+0x20/0x38 dumpstacklvl+0x48/0x60 printreport+0xf8/0x5d8 kasanreport+0x90/0xd0 _asanload8+0x9c/0xc0 sun8icecipherdoone+0x6e8/0xf80 [sun8ice] cryptopumpwork+0x354/0x620 [cryptoengine] kthreadworkerfn+0x244/0x498 kthread+0x168/0x178 retfromfork+0x10/0x20

Allocated by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansaveallocinfo+0x24/0x38 _kasankmalloc+0xd4/0xd8 _kmalloc+0x74/0x1d0 algtestskcipher+0x90/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfromfork+0x10/0x20

Freed by task 379: kasansavestack+0x3c/0x68 kasansettrack+0x2c/0x40 kasansavefreeinfo+0x38/0x60 _kasanslabfree+0x100/0x170 slabfreefreelisthook+0xd4/0x1e8 _kmemcachefree+0x15c/0x290 kfree+0x74/0x100 kfreesensitive+0x80/0xb0 algtestskcipher+0x12c/0x1f0 algtest+0x24c/0x830 cryptomgrtest+0x38/0x60 kthread+0x168/0x178 retfrom_fork+0x10/0x20

The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)