FreeBSD-EN-21:11.aesni : Race condition in aesni(4)
Versions Affected : All versions prior to TrueNAS 12.0-U4
Description
The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.
Taesni(4) implements SHA-1 and SHA-2 and can compute HMACs using these functions. One step of the HMAC computation involves the computation of a derived key. This step was implemented such that if multiple threads were concurrently computing an HMAC using the same crypto(9) session, the kernel’s copy of the session key could be corrupted. This bug could cause aesni(4) to return incorrect digests of input data, or incorrect report a digest verification failure.
Workaround
The aesni(4) kernel module may be unloaded to work around the problem. Note that this may incur a substantial hit to performance. Workloads not making use of HMAC-based authentication using aesni(4) are unaffected. For example, aesni(4) implements AES-GCM, and that implementation is not susceptible to this problem.
Mitigation
- Upgrade to TrueNAS 12.0-U4 or later.