CVE-2024-50047

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50047
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50047.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50047
Downstream
Related
Published
2024-10-21T20:15:17Z
Modified
2025-08-09T19:01:28Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in async decryption

Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API.

Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul4klle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2decryptoffload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dumpstacklvl+0x4e/0x70 [ 194.200558] ? gf128mul4klle+0xc1/0x110 [ 194.200809] printreport+0x174/0x505 [ 194.201040] ? pfxrawspinlockirqsave+0x10/0x10 [ 194.201352] ? srsoreturnthunk+0x5/0x5f [ 194.201604] ? _virtaddrvalid+0xdf/0x1c0 [ 194.201868] ? gf128mul4klle+0xc1/0x110 [ 194.202128] kasanreport+0xc8/0x150 [ 194.202361] ? gf128mul4klle+0xc1/0x110 [ 194.202616] gf128mul4klle+0xc1/0x110 [ 194.202863] ghashupdate+0x184/0x210 [ 194.203103] shashahashupdate+0x184/0x2a0 [ 194.203377] ? _pfxshashahashupdate+0x10/0x10 [ 194.203651] ? srsoreturnthunk+0x5/0x5f [ 194.203877] ? cryptogcminitcommon+0x1ba/0x340 [ 194.204142] gcmhashassocremaincontinue+0x10a/0x140 [ 194.204434] cryptmessage+0xec1/0x10a0 [cifs] [ 194.206489] ? _pfxcryptmessage+0x10/0x10 [cifs] [ 194.208507] ? srsoreturnthunk+0x5/0x5f [ 194.209205] ? srsoreturnthunk+0x5/0x5f [ 194.209925] ? srsoreturnthunk+0x5/0x5f [ 194.210443] ? srsoreturnthunk+0x5/0x5f [ 194.211037] decryptrawdata+0x15f/0x250 [cifs] [ 194.212906] ? _pfxdecryptrawdata+0x10/0x10 [cifs] [ 194.214670] ? srsoreturnthunk+0x5/0x5f [ 194.215193] smb2decryptoffload+0x12a/0x6c0 [cifs]

This is because TFM is being used in parallel.

Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3calcsignature()).

Also remove the calls to aeadrequestsetcallback() and cryptowait_req() since it's always going to be a synchronous operation.

References

Affected packages