Linux Kernel Boolean Value Misassignment Vulnerability in AF_ALG Crypto API

A vulnerability exists in the Linux kernel's AF_ALG crypto API, where certain boolean fields in the context structure were incorrectly changed to 1-bit bitfields of type u32. This modification, intended to prevent concurrent writes, inadvertently altered the way values were assigned to these fields. Specifically, the 'more' and 'merge' fields, which can receive values greater than 1, were affected. The change relied on C's implicit conversion, where nonzero values are interpreted as true. The new bitfield representation applied modulo 2, leading to incorrect assignments. This vulnerability could potentially disrupt the intended functionality of the crypto API by misrepresenting the state of these fields.

Impact

The vulnerability could cause incorrect handling of boolean values in the AF_ALG context, potentially leading to unintended behavior in cryptographic operations that rely on this API.

Reproduction

The vulnerability can be reproduced by assigning values greater than 1 to the 'more' and 'merge' fields of the AF_ALG context. This can be done by creating a custom application or script that uses the AF_ALG crypto API and deliberately assigns invalid values to these fields. The incorrect assignment can then be observed by checking the values of the 'more' and 'merge' fields, which will reflect the misassignment caused by the vulnerability.

Remediation

The vulnerability has been addressed by reverting the affected fields back to their original boolean type. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.