Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-40900.mbox
blob: 930d0bb962d5eb85777d560c0a83f58c9c95b8ae [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-40900: cachefiles: remove requests from xarray during flushing requests
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: remove requests from xarray during flushing requests
Even with CACHEFILES_DEAD set, we can still read the requests, so in the
following concurrency the request may be used after it has been freed:
mount | daemon_thread1 | daemon_thread2
------------------------------------------------------------
cachefiles_ondemand_init_object
cachefiles_ondemand_send_req
REQ_A = kzalloc(sizeof(*req) + data_len)
wait_for_completion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
// close dev fd
cachefiles_flush_reqs
complete(&REQ_A->done)
kfree(REQ_A)
xa_lock(&cache->reqs);
cachefiles_ondemand_select_req
req->msg.opcode != CACHEFILES_OP_READ
// req use-after-free !!!
xa_unlock(&cache->reqs);
xa_destroy(&cache->reqs)
Hence remove requests from cache->reqs when flushing them to avoid
accessing freed requests.
The Linux kernel CVE team has assigned CVE-2024-40900 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.1.95 with commit 9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.6.35 with commit 50d0e55356ba5b84ffb51c42704126124257e598
Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.9.6 with commit 37e19cf86a520d65de1de9cb330415c332a40d19
Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.10 with commit 0fc75c5940fa634d84e64c93bfc388e1274ed013
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-40900
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/cachefiles/daemon.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598
https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19
https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013