From: Greg KH <gregkh@linuxfoundation.org>
To: William Liu <will@willsroot.io>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"sd@queasysnail.net" <sd@queasysnail.net>,
Jakub Kicinski <kuba@kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Savy <savy@syst3mfailure.io>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"borisp@nvidia.com" <borisp@nvidia.com>
Subject: Re: [BUG] Missing backport for UAF fix in interaction between tls_decrypt_sg and cryptd_queue_worker
Date: Tue, 12 Aug 2025 10:51:37 +0200 [thread overview]
Message-ID: <2025081250-slaw-seltzer-4650@gregkh> (raw)
In-Reply-To: <he2K1yz_u7bZ-CnYcTSQ4OxuLuHZXN6xZRgp6_ICSWnq8J5FpI_uD1i_1lTSf7WMrYb5ThiX1OR2GTOB2IltgT49Koy7Hhutr4du4KtLvyk=@willsroot.io>
On Mon, Aug 11, 2025 at 05:03:47PM +0000, William Liu wrote:
> Hi all,
>
> Commit 41532b785e (tls: separate no-async decryption request handling from async) [1] actually covers a UAF read and write bug in the kernel, and should be backported to 6.1. As of now, it has only been backported to 6.6, back from the time when the patch was committed. The commit mentions a non-reproducible UAF that was previously observed, but we managed to hit the vulnerable case.
>
> The vulnerable case is when a user wraps an existing crypto algorithm (such as gcm or ghash) in cryptd. By default, cryptd-wrapped algorithms have a higher priority than the base variant. tls_decrypt_sg allocates the aead request, and triggers the crypto handling with tls_do_decryption. When the crypto is handled by cryptd, it gets dispatched to a worker that handles it and initially returns EINPROGRESS. While older LTS versions (5.4, 5.10, and 5.15) seem to have an additional crypto_wait_req call in those cases, 6.1 just returns success and frees the aead request. The cryptd worker could still be operating in this case, which causes a UAF.
>
> However, this vulnerability only occurs when the CPU is without AVX support (perhaps this is why there were reproducibility difficulties). With AVX, aesni_init calls simd_register_aeads_compat to force the crypto subsystem to use the SIMD version and avoids the async issues raised by cryptd. While I doubt many people are using host systems without AVX these days, this environment is pretty common in VMs when QEMU uses KVM without using the "-cpu host" flag.
>
> The following is a repro, and can be triggered from unprivileged users. Multishot KASAN shows multiple UAF reads and writes, and ends up panicking the system with a null dereference.
As you can test this, please provide a working backport of that commit
to the 6.1.y tree if you wish to see it applied to that kernel version
as it does not apply cleanly as-is.
Same for older kernel versions if you think it should be applied there
as well.
thanks,
greg k-h
prev parent reply other threads:[~2025-08-12 8:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-11 17:03 [BUG] Missing backport for UAF fix in interaction between tls_decrypt_sg and cryptd_queue_worker William Liu
2025-08-12 8:51 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025081250-slaw-seltzer-4650@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=borisp@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=savy@syst3mfailure.io \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
--cc=will@willsroot.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox