Preface: The Linux kernel implements most of its IPv6 parts from USAGI. USAGI project was founded to improve and develop Linux IPv6 stack. The integrated USAGI version/release is unknown. Implemented into the kernel are the core functions of USAGI; the “standard” user-level programs provide basic IPv6 functionality.
Background: IPv6 converting to using crypto_pool has the following advantages.
– now SR uses asynchronous API which may potentially free CPU cycles and improve performance for of CPU crypto algorithm providers;
– hash descriptors now don’t have to be allocated on boot, but only at the moment SR starts using HMAC and until the last HMAC secret is deleted;
– potentially reuse ahash_request(s) for different users
– allocate only one per-CPU scratch buffer rather than a new one for
each user
– have a common API for net/ users that need ahash on RX/TX fast path
Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it’s going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly.
Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39489