cve/published/2023/CVE-2023-52813.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52813: crypto: pcrypt - Fix hungtask for PADATA_RESET

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 crypto: pcrypt - Fix hungtask for PADATA_RESET

 We found a hungtask bug in test_aead_vec_cfg as follows:

 INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 Call trace:
  __switch_to+0x98/0xe0
  __schedule+0x6c4/0xf40
  schedule+0xd8/0x1b4
  schedule_timeout+0x474/0x560
  wait_for_common+0x368/0x4e0
  wait_for_completion+0x20/0x30
  wait_for_completion+0x20/0x30
  test_aead_vec_cfg+0xab4/0xd50
  test_aead+0x144/0x1f0
  alg_test_aead+0xd8/0x1e0
  alg_test+0x634/0x890
  cryptomgr_test+0x40/0x70
  kthread+0x1e0/0x220
  ret_from_fork+0x10/0x18
  Kernel panic - not syncing: hung_task: blocked tasks

 For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
 wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
 case, aead_request_complete() will be called in pcrypt_aead_serial and the
 return err is 0 for padata_do_parallel. But, when pinst->flags is
 PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
 won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
 hung at wait_for_completion(&wait->completion), which will cause
 hungtask.

 The problem comes as following:
 (padata_do_parallel)                 |
     rcu_read_lock_bh();              |
     err = -EINVAL;                   |   (padata_replace)
                                      |     pinst->flags |= PADATA_RESET;
     err = -EBUSY                     |
     if (pinst->flags & PADATA_RESET) |
         rcu_read_unlock_bh()         |
         return err

 In order to resolve the problem, we replace the return err -EBUSY with
 -EAGAIN, which means parallel_data is changing, and the caller should call
 it again.

 v3:
 remove retry and just change the return err.
 v2:
 introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
 pcrypt_aead_decrypt to solve the hungtask.

 The Linux kernel CVE team has assigned CVE-2023-52813 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.14.331 with commit fb2d3a50a8f29a3c66682bb426144f40e32ab818
 	Fixed in 4.19.300 with commit 039fec48e062504f14845124a1a25eb199b2ddc0
 	Fixed in 5.4.262 with commit c9c1334697301c10e6918d747ed38abfbc0c96e7
 	Fixed in 5.10.202 with commit e97bf4ada7dddacd184c3e196bd063b0dc71b41d
 	Fixed in 5.15.140 with commit 546c1796ad1ed0d87dab3c4b5156d75819be2316
 	Fixed in 6.1.64 with commit c55fc098fd9d2dca475b82d00ffbcaf97879d77e
 	Fixed in 6.5.13 with commit e134f3aba98e6c801a693f540912c2d493718ddf
 	Fixed in 6.6.3 with commit 372636debe852913529b1716f44addd94fff2d28
 	Fixed in 6.7 with commit 8f4f68e788c3a7a696546291258bfa5fdb215523

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52813
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	crypto/pcrypt.c
 	kernel/padata.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818
 	https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0
 	https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7
 	https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d
 	https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316
 	https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e
 	https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf
 	https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28
 	https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52813: crypto: pcrypt - Fix hungtask for PADATA_RESET

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	crypto: pcrypt - Fix hungtask for PADATA_RESET

	We found a hungtask bug in test_aead_vec_cfg as follows:

	INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	Call trace:
	__switch_to+0x98/0xe0
	__schedule+0x6c4/0xf40
	schedule+0xd8/0x1b4
	schedule_timeout+0x474/0x560
	wait_for_common+0x368/0x4e0
	wait_for_completion+0x20/0x30
	wait_for_completion+0x20/0x30
	test_aead_vec_cfg+0xab4/0xd50
	test_aead+0x144/0x1f0
	alg_test_aead+0xd8/0x1e0
	alg_test+0x634/0x890
	cryptomgr_test+0x40/0x70
	kthread+0x1e0/0x220
	ret_from_fork+0x10/0x18
	Kernel panic - not syncing: hung_task: blocked tasks

	For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
	wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
	case, aead_request_complete() will be called in pcrypt_aead_serial and the
	return err is 0 for padata_do_parallel. But, when pinst->flags is
	PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
	won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
	hung at wait_for_completion(&wait->completion), which will cause
	hungtask.

	The problem comes as following:
	(padata_do_parallel) \|
	rcu_read_lock_bh(); \|
	err = -EINVAL; \| (padata_replace)
	\| pinst->flags \|= PADATA_RESET;
	err = -EBUSY \|
	if (pinst->flags & PADATA_RESET) \|
	rcu_read_unlock_bh() \|
	return err

	In order to resolve the problem, we replace the return err -EBUSY with
	-EAGAIN, which means parallel_data is changing, and the caller should call
	it again.

	v3:
	remove retry and just change the return err.
	v2:
	introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
	pcrypt_aead_decrypt to solve the hungtask.

	The Linux kernel CVE team has assigned CVE-2023-52813 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.14.331 with commit fb2d3a50a8f29a3c66682bb426144f40e32ab818
	Fixed in 4.19.300 with commit 039fec48e062504f14845124a1a25eb199b2ddc0
	Fixed in 5.4.262 with commit c9c1334697301c10e6918d747ed38abfbc0c96e7
	Fixed in 5.10.202 with commit e97bf4ada7dddacd184c3e196bd063b0dc71b41d
	Fixed in 5.15.140 with commit 546c1796ad1ed0d87dab3c4b5156d75819be2316
	Fixed in 6.1.64 with commit c55fc098fd9d2dca475b82d00ffbcaf97879d77e
	Fixed in 6.5.13 with commit e134f3aba98e6c801a693f540912c2d493718ddf
	Fixed in 6.6.3 with commit 372636debe852913529b1716f44addd94fff2d28
	Fixed in 6.7 with commit 8f4f68e788c3a7a696546291258bfa5fdb215523

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52813
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	crypto/pcrypt.c
	kernel/padata.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818
	https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0
	https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7
	https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d
	https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316
	https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e
	https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf
	https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28
	https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523