Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-27061— crypto: sun8i-ce - Fix use after free in unprepare

EPSS 0.02% · P4
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-27061

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
crypto: sun8i-ce - Fix use after free in unprepare
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce - Fix use after free in unprepare sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 4136212ab18eb3dce6efb6e18108765c36708f71 ~ dc60b25540c82fc4baa95d1458ae96ead21859e0 -
LinuxLinux 6.6 -

II. Public POCs for CVE-2024-27061

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-27061

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-05-01 · 159 CVEs total

CVE-2024-27037clk: zynq: Prevent null pointer dereference caused by kmalloc failure
CVE-2024-27028spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
CVE-2024-27029drm/amdgpu: fix mmhub client id out-of-bounds access
CVE-2024-27030octeontx2-af: Use separate handlers for interrupts
CVE-2024-27031NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt
CVE-2024-27032f2fs: fix to avoid potential panic during recovery
CVE-2024-27033f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic
CVE-2024-27034f2fs: compress: fix to cover normal cluster write with cp_rwsem
CVE-2024-27035f2fs: compress: fix to guarantee persisting compressed blocks by CP
CVE-2024-27036cifs: Fix writeback data corruption
CVE-2024-27043media: edia: dvbdev: fix a use-after-free
CVE-2024-27047net: phy: fix phy_get_internal_delay accessing an empty array
CVE-2024-27046nfp: flower: handle acti_netdevs allocation failure
CVE-2024-27045drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'
CVE-2024-27044drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_fun
CVE-2024-27040drm/amd/display: Add 'replay' NULL check in 'edp_set_replay_allow_active()'
CVE-2024-27038clk: Fix clk_core_get NULL dereference
CVE-2024-27039clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()
CVE-2023-52650drm/tegra: dsi: Add missing check for of_find_device_by_node
CVE-2024-27041drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()

Showing top 20 of 159 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-27061

No comments yet

Leave a comment