ACK: [SRU][M][PATCH 0/1] CVE-2024-26789

Stefan Bader stefan.bader at canonical.com
Tue Apr 23 09:51:00 UTC 2024


On 12.04.24 00:36, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   crypto: arm64/neonbs - fix out-of-bounds access on short input
> 
>   The bit-sliced implementation of AES-CTR operates on blocks of 128
>   bytes, and will fall back to the plain NEON version for tail blocks or
>   inputs that are shorter than 128 bytes to begin with.
> 
>   It will call straight into the plain NEON asm helper, which performs all
>   memory accesses in granules of 16 bytes (the size of a NEON register).
>   For this reason, the associated plain NEON glue code will copy inputs
>   shorter than 16 bytes into a temporary buffer, given that this is a rare
>   occurrence and it is not worth the effort to work around this in the asm
>   code.
> 
>   The fallback from the bit-sliced NEON version fails to take this into
>   account, potentially resulting in out-of-bounds accesses. So clone the
>   same workaround, and use a temp buffer for short in/outputs.
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick.
> Jammy:	not-affected
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affected those who use the crypto API framework, and issue
> with this fix would be visable with unpredicted behavior or potentially
> a system crash.
> 
> Ard Biesheuvel (1):
>    crypto: arm64/neonbs - fix out-of-bounds access on short input
> 
>   arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++
>   1 file changed, 11 insertions(+)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240423/91682b5d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240423/91682b5d/attachment-0001.sig>


More information about the kernel-team mailing list