tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb.
Kernel security advisory: https://lore.kernel.org/linux-cve-announce/2024022139-spruce-prelude-c358@gregkh/T/#u Upstream fix: https://github.com/torvalds/linux/commit/32b55c5ff910
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2265529]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1882 https://access.redhat.com/errata/RHSA-2024:1882
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1881 https://access.redhat.com/errata/RHSA-2024:1881
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-26582 is: CHECK Maybe valid. Check manually. with impact MODERATE (that is approximation based on flags REMOTE READ SIMPLEFIX UAF SKB ; these flags parsed automatically based on patche data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.