Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-40899.json
blob: 9c92b40ce7c23d9f5a174bcf80736820da4c6071 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/cachefiles/internal.h",
"fs/cachefiles/ondemand.c"
],
"versions": [
{
"version": "a0cc87f86698174aacc083c4652d2606007dd902",
"lessThan": "99e9c5bd27ddefa0f9db88625bf5e31c1e833d62",
"status": "affected",
"versionType": "git"
},
{
"version": "9f5fa40f0924e9de85b16c6d1aea80327ce647d8",
"lessThan": "a6de82765e12fb1201ab607f0d3ffe3309b30fc0",
"status": "affected",
"versionType": "git"
},
{
"version": "e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3",
"lessThan": "1d902d9a3aa4f2a8bda698294e34be788be012fc",
"status": "affected",
"versionType": "git"
},
{
"version": "e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3",
"lessThan": "de3e26f9e5b76fc628077578c001c4a51bf54d06",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/cachefiles/internal.h",
"fs/cachefiles/ondemand.c"
],
"versions": [
{
"version": "6.8",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.8",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.9.6",
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.10",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8",
"versionEndExcluding": "6.9.6"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8",
"versionEndExcluding": "6.10"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62"
},
{
"url": "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0"
},
{
"url": "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc"
},
{
"url": "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06"
}
],
"title": "cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-40899",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}