In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: crypto: af_alg - inicializar a cero la memoria asignada a través de sock_kmalloc Varios contextos y solicitudes de API de usuario de criptografía asignados con sock_kmalloc() quedaron sin inicializar, dependiendo de que los llamadores establecieran los campos explícitamente. Esto resultó en el uso de datos no inicializados en ciertas rutas de error o cuando se añadan nuevos campos en el futuro. Los parches ACVP también contienen dos archivos de interfaz de espacio de usuario: algif_kpp.c y algif_akcipher.c. Estos también dependen de la inicialización adecuada de sus estructuras de contexto. Se ha observado un problema particular con la variable 'inflight' recién añadida introducida en af_alg_ctx por el commit: 67b164a871af ('crypto: af_alg - Disallow multiple in-flight AIO requests') Debido a que el contexto no se inicializa a cero con memset después de la asignación, la variable inflight ha contenido valores basura. Como resultado, af_alg_alloc_areq() ha devuelto incorrectamente -EBUSY de forma aleatoria cuando el valor basura fue interpretado como verdadero: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 La comprobación prueba directamente ctx->inflight sin comparar explícitamente con verdadero/falso. Dado que inflight solo se establece como verdadero o falso más tarde, un valor no inicializado ha provocado fallos -EBUSY. La inicialización a cero de la memoria asignada con sock_kmalloc() asegura que inflight y otros campos comiencen en un estado conocido, eliminando problemas aleatorios causados por datos no inicializados.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-908
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f49c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6f68c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc5e88c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f7fc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f67c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f43c0> | Operating System |
| linux | linux_kernel | 2.6.38 | <built-in method update of dict object at 0x702bdc9f76c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f5ac0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f4240> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f66c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f4ec0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f5380> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc5ea5c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f5180> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdc9f7b00> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.38:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |