CVE-2024-26800: tls: fix use-after-free on failed backlog decryption

First published: Thu Apr 04 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/weakness
• agent/title
• agent/first-publish-date
• agent/type
• collector/nvd-api
• source/NVD
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• collector/usn-cve
• source/Ubuntu
• collector/launchpad-cve
• source/Launchpad
• collector/nvd-cve
• agent/references
• agent/author
• collector/security-tracker-debian
• source/Debian
• agent/software-canonical-lookup
• agent/softwarecombine
• agent/tags
• agent/description
• agent/event
• package-manager/debian