Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52813

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/05/2024
Last modified:
26/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: pcrypt - Fix hungtask for PADATA_RESET<br /> <br /> We found a hungtask bug in test_aead_vec_cfg as follows:<br /> <br /> INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> Call trace:<br /> __switch_to+0x98/0xe0<br /> __schedule+0x6c4/0xf40<br /> schedule+0xd8/0x1b4<br /> schedule_timeout+0x474/0x560<br /> wait_for_common+0x368/0x4e0<br /> wait_for_completion+0x20/0x30<br /> wait_for_completion+0x20/0x30<br /> test_aead_vec_cfg+0xab4/0xd50<br /> test_aead+0x144/0x1f0<br /> alg_test_aead+0xd8/0x1e0<br /> alg_test+0x634/0x890<br /> cryptomgr_test+0x40/0x70<br /> kthread+0x1e0/0x220<br /> ret_from_fork+0x10/0x18<br /> Kernel panic - not syncing: hung_task: blocked tasks<br /> <br /> For padata_do_parallel, when the return err is 0 or -EBUSY, it will call<br /> wait_for_completion(&amp;wait-&gt;completion) in test_aead_vec_cfg. In normal<br /> case, aead_request_complete() will be called in pcrypt_aead_serial and the<br /> return err is 0 for padata_do_parallel. But, when pinst-&gt;flags is<br /> PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it<br /> won&amp;#39;t call aead_request_complete(). Therefore, test_aead_vec_cfg will<br /> hung at wait_for_completion(&amp;wait-&gt;completion), which will cause<br /> hungtask.<br /> <br /> The problem comes as following:<br /> (padata_do_parallel) |<br /> rcu_read_lock_bh(); |<br /> err = -EINVAL; | (padata_replace)<br /> | pinst-&gt;flags |= PADATA_RESET;<br /> err = -EBUSY |<br /> if (pinst-&gt;flags &amp; PADATA_RESET) |<br /> rcu_read_unlock_bh() |<br /> return err<br /> <br /> In order to resolve the problem, we replace the return err -EBUSY with<br /> -EAGAIN, which means parallel_data is changing, and the caller should call<br /> it again.<br /> <br /> v3:<br /> remove retry and just change the return err.<br /> v2:<br /> introduce padata_try_do_parallel() in pcrypt_aead_encrypt and<br /> pcrypt_aead_decrypt to solve the hungtask.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.34 (including) 4.14.331 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.300 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.262 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.202 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6 (including) 6.6.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools