cve/published/2024/CVE-2024-41057.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41057: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

 We got the following issue in our fault injection stress test:

 ==================================================================
 BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600
 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109

 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566
 Call Trace:
  <TASK>
  kasan_report+0x93/0xc0
  cachefiles_withdraw_cookie+0x4d9/0x600
  fscache_cookie_state_machine+0x5c8/0x1230
  fscache_cookie_worker+0x91/0x1c0
  process_one_work+0x7fa/0x1800
  [...]

 Allocated by task 117:
  kmalloc_trace+0x1b3/0x3c0
  cachefiles_acquire_volume+0xf3/0x9c0
  fscache_create_volume_work+0x97/0x150
  process_one_work+0x7fa/0x1800
  [...]

 Freed by task 120301:
  kfree+0xf1/0x2c0
  cachefiles_withdraw_cache+0x3fa/0x920
  cachefiles_put_unbind_pincount+0x1f6/0x250
  cachefiles_daemon_release+0x13b/0x290
  __fput+0x204/0xa00
  task_work_run+0x139/0x230
  do_exit+0x87a/0x29b0
  [...]
 ==================================================================

 Following is the process that triggers the issue:

            p1                |             p2
 ------------------------------------------------------------
                               fscache_begin_lookup
                                fscache_begin_volume_access
                                 fscache_cache_is_live(fscache_cache)
 cachefiles_daemon_release
  cachefiles_put_unbind_pincount
   cachefiles_daemon_unbind
    cachefiles_withdraw_cache
     fscache_withdraw_cache
      fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);
     cachefiles_withdraw_objects(cache)
     fscache_wait_for_objects(fscache)
       atomic_read(&fscache_cache->object_count) == 0
                               fscache_perform_lookup
                                cachefiles_lookup_cookie
                                 cachefiles_alloc_object
                                  refcount_set(&object->ref, 1);
                                  object->volume = volume
                                  fscache_count_object(vcookie->cache);
                                   atomic_inc(&fscache_cache->object_count)
     cachefiles_withdraw_volumes
      cachefiles_withdraw_volume
       fscache_withdraw_volume
       __cachefiles_free_volume
        kfree(cachefiles_volume)
                               fscache_cookie_state_machine
                                cachefiles_withdraw_cookie
                                 cache = object->volume->cache;
                                 // cachefiles_volume UAF !!!

 After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups
 to complete first, and then wait for fscache_cache->object_count == 0 to
 avoid the cookie exiting after the volume has been freed and triggering
 the above issue. Therefore call fscache_withdraw_volume() before calling
 cachefiles_withdraw_objects().

 This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two
 cases will occur:
 1) fscache_begin_lookup fails in fscache_begin_volume_access().
 2) fscache_withdraw_volume() will ensure that fscache_count_object() has
    been executed before calling fscache_wait_for_objects().

 The Linux kernel CVE team has assigned CVE-2024-41057 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.1.101 with commit 8de253177112a47c9af157d23ae934779188b4e1
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.6.42 with commit 9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.9.11 with commit ef81340401e8a371d6b17f69e76d861920972cfe
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.10 with commit 5d8f805789072ea7fd39504694b7bd17e5f751c4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41057
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/cachefiles/cache.c
 	fs/cachefiles/volume.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1
 	https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
 	https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe
 	https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41057: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

	We got the following issue in our fault injection stress test:

	==================================================================
	BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600
	Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109

	CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566
	Call Trace:
	<TASK>
	kasan_report+0x93/0xc0
	cachefiles_withdraw_cookie+0x4d9/0x600
	fscache_cookie_state_machine+0x5c8/0x1230
	fscache_cookie_worker+0x91/0x1c0
	process_one_work+0x7fa/0x1800
	[...]

	Allocated by task 117:
	kmalloc_trace+0x1b3/0x3c0
	cachefiles_acquire_volume+0xf3/0x9c0
	fscache_create_volume_work+0x97/0x150
	process_one_work+0x7fa/0x1800
	[...]

	Freed by task 120301:
	kfree+0xf1/0x2c0
	cachefiles_withdraw_cache+0x3fa/0x920
	cachefiles_put_unbind_pincount+0x1f6/0x250
	cachefiles_daemon_release+0x13b/0x290
	__fput+0x204/0xa00
	task_work_run+0x139/0x230
	do_exit+0x87a/0x29b0
	[...]
	==================================================================

	Following is the process that triggers the issue:

	p1 \| p2
	------------------------------------------------------------
	fscache_begin_lookup
	fscache_begin_volume_access
	fscache_cache_is_live(fscache_cache)
	cachefiles_daemon_release
	cachefiles_put_unbind_pincount
	cachefiles_daemon_unbind
	cachefiles_withdraw_cache
	fscache_withdraw_cache
	fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);
	cachefiles_withdraw_objects(cache)
	fscache_wait_for_objects(fscache)
	atomic_read(&fscache_cache->object_count) == 0
	fscache_perform_lookup
	cachefiles_lookup_cookie
	cachefiles_alloc_object
	refcount_set(&object->ref, 1);
	object->volume = volume
	fscache_count_object(vcookie->cache);
	atomic_inc(&fscache_cache->object_count)
	cachefiles_withdraw_volumes
	cachefiles_withdraw_volume
	fscache_withdraw_volume
	__cachefiles_free_volume
	kfree(cachefiles_volume)
	fscache_cookie_state_machine
	cachefiles_withdraw_cookie
	cache = object->volume->cache;
	// cachefiles_volume UAF !!!

	After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups
	to complete first, and then wait for fscache_cache->object_count == 0 to
	avoid the cookie exiting after the volume has been freed and triggering
	the above issue. Therefore call fscache_withdraw_volume() before calling
	cachefiles_withdraw_objects().

	This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two
	cases will occur:
	1) fscache_begin_lookup fails in fscache_begin_volume_access().
	2) fscache_withdraw_volume() will ensure that fscache_count_object() has
	been executed before calling fscache_wait_for_objects().

	The Linux kernel CVE team has assigned CVE-2024-41057 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.1.101 with commit 8de253177112a47c9af157d23ae934779188b4e1
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.6.42 with commit 9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.9.11 with commit ef81340401e8a371d6b17f69e76d861920972cfe
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.10 with commit 5d8f805789072ea7fd39504694b7bd17e5f751c4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41057
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/cachefiles/cache.c
	fs/cachefiles/volume.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1
	https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
	https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe
	https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4