In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Type: Secondary
Exploitability Score: 3.9
Impact Score: 5.9
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-416
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f5340> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc2a6340> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc2a76c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f4e40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde167180> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde166d80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde165c00> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc2a4200> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc2a6e80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bde166f40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd7df9c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc2a6400> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc3c7e80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc132640> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |