CVE-2024-45004

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KEYS: trusted: dcp: fix leak of blob encryption key<br /> <br /> Trusted keys unseal the key blob on load, but keep the sealed payload in<br /> the blob field so that every subsequent read (export) will simply<br /> convert this field to hex and send it to userspace.<br /> <br /> With DCP-based trusted keys, we decrypt the blob encryption key (BEK)<br /> in the Kernel due hardware limitations and then decrypt the blob payload.<br /> BEK decryption is done in-place which means that the trusted key blob<br /> field is modified and it consequently holds the BEK in plain text.<br /> Every subsequent read of that key thus send the plain text BEK instead<br /> of the encrypted BEK to userspace.<br /> <br /> This issue only occurs when importing a trusted DCP-based key and<br /> then exporting it again. This should rarely happen as the common use cases<br /> are to either create a new trusted key and export it, or import a key<br /> blob and then just use it without exporting it again.<br /> <br /> Fix this by performing BEK decryption and encryption in a dedicated<br /> buffer. Further always wipe the plain text BEK buffer to prevent leaking<br /> the key via uninitialized memory.