cve/published/2024/CVE-2024-41058.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41058: cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

 We got the following issue in our fault injection stress test:

 ==================================================================
 BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370
 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798

 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565
 Call Trace:
  kasan_check_range+0xf6/0x1b0
  fscache_withdraw_volume+0x2e1/0x370
  cachefiles_withdraw_volume+0x31/0x50
  cachefiles_withdraw_cache+0x3ad/0x900
  cachefiles_put_unbind_pincount+0x1f6/0x250
  cachefiles_daemon_release+0x13b/0x290
  __fput+0x204/0xa00
  task_work_run+0x139/0x230

 Allocated by task 5820:
  __kmalloc+0x1df/0x4b0
  fscache_alloc_volume+0x70/0x600
  __fscache_acquire_volume+0x1c/0x610
  erofs_fscache_register_volume+0x96/0x1a0
  erofs_fscache_register_fs+0x49a/0x690
  erofs_fc_fill_super+0x6c0/0xcc0
  vfs_get_super+0xa9/0x140
  vfs_get_tree+0x8e/0x300
  do_new_mount+0x28c/0x580
  [...]

 Freed by task 5820:
  kfree+0xf1/0x2c0
  fscache_put_volume.part.0+0x5cb/0x9e0
  erofs_fscache_unregister_fs+0x157/0x1b0
  erofs_kill_sb+0xd9/0x1c0
  deactivate_locked_super+0xa3/0x100
  vfs_get_super+0x105/0x140
  vfs_get_tree+0x8e/0x300
  do_new_mount+0x28c/0x580
  [...]
 ==================================================================

 Following is the process that triggers the issue:

         mount failed         |         daemon exit
 ------------------------------------------------------------
  deactivate_locked_super        cachefiles_daemon_release
   erofs_kill_sb
    erofs_fscache_unregister_fs
     fscache_relinquish_volume
      __fscache_relinquish_volume
       fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)
        zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);
                                  cachefiles_put_unbind_pincount
                                   cachefiles_daemon_unbind
                                    cachefiles_withdraw_cache
                                     cachefiles_withdraw_volumes
                                      list_del_init(&volume->cache_link)
        fscache_free_volume(fscache_volume)
         cache->ops->free_volume
          cachefiles_free_volume
           list_del_init(&cachefiles_volume->cache_link);
         kfree(fscache_volume)
                                      cachefiles_withdraw_volume
                                       fscache_withdraw_volume
                                        fscache_volume->n_accesses
                                        // fscache_volume UAF !!!

 The fscache_volume in cache->volumes must not have been freed yet, but its
 reference count may be 0. So use the new fscache_try_get_volume() helper
 function try to get its reference count.

 If the reference count of fscache_volume is 0, fscache_put_volume() is
 freeing it, so wait for it to be removed from cache->volumes.

 If its reference count is not 0, call cachefiles_withdraw_volume() with
 reference count protection to avoid the above issue.

 The Linux kernel CVE team has assigned CVE-2024-41058 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.1.101 with commit 90f17e47f1e209c6a3c92a1d038a0a80c95c460e
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.6.42 with commit 9dd7f5663899ea13a6a73216106d9c13c37453e3
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.9.11 with commit 38b88d544216f806d93a273a62ff8ebe82254003
 	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.10 with commit 522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41058
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/cachefiles/cache.c
 	include/trace/events/fscache.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e
 	https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3
 	https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003
 	https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41058: cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

	We got the following issue in our fault injection stress test:

	==================================================================
	BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370
	Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798

	CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565
	Call Trace:
	kasan_check_range+0xf6/0x1b0
	fscache_withdraw_volume+0x2e1/0x370
	cachefiles_withdraw_volume+0x31/0x50
	cachefiles_withdraw_cache+0x3ad/0x900
	cachefiles_put_unbind_pincount+0x1f6/0x250
	cachefiles_daemon_release+0x13b/0x290
	__fput+0x204/0xa00
	task_work_run+0x139/0x230

	Allocated by task 5820:
	__kmalloc+0x1df/0x4b0
	fscache_alloc_volume+0x70/0x600
	__fscache_acquire_volume+0x1c/0x610
	erofs_fscache_register_volume+0x96/0x1a0
	erofs_fscache_register_fs+0x49a/0x690
	erofs_fc_fill_super+0x6c0/0xcc0
	vfs_get_super+0xa9/0x140
	vfs_get_tree+0x8e/0x300
	do_new_mount+0x28c/0x580
	[...]

	Freed by task 5820:
	kfree+0xf1/0x2c0
	fscache_put_volume.part.0+0x5cb/0x9e0
	erofs_fscache_unregister_fs+0x157/0x1b0
	erofs_kill_sb+0xd9/0x1c0
	deactivate_locked_super+0xa3/0x100
	vfs_get_super+0x105/0x140
	vfs_get_tree+0x8e/0x300
	do_new_mount+0x28c/0x580
	[...]
	==================================================================

	Following is the process that triggers the issue:

	mount failed \| daemon exit
	------------------------------------------------------------
	deactivate_locked_super cachefiles_daemon_release
	erofs_kill_sb
	erofs_fscache_unregister_fs
	fscache_relinquish_volume
	__fscache_relinquish_volume
	fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)
	zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);
	cachefiles_put_unbind_pincount
	cachefiles_daemon_unbind
	cachefiles_withdraw_cache
	cachefiles_withdraw_volumes
	list_del_init(&volume->cache_link)
	fscache_free_volume(fscache_volume)
	cache->ops->free_volume
	cachefiles_free_volume
	list_del_init(&cachefiles_volume->cache_link);
	kfree(fscache_volume)
	cachefiles_withdraw_volume
	fscache_withdraw_volume
	fscache_volume->n_accesses
	// fscache_volume UAF !!!

	The fscache_volume in cache->volumes must not have been freed yet, but its
	reference count may be 0. So use the new fscache_try_get_volume() helper
	function try to get its reference count.

	If the reference count of fscache_volume is 0, fscache_put_volume() is
	freeing it, so wait for it to be removed from cache->volumes.

	If its reference count is not 0, call cachefiles_withdraw_volume() with
	reference count protection to avoid the above issue.

	The Linux kernel CVE team has assigned CVE-2024-41058 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.1.101 with commit 90f17e47f1e209c6a3c92a1d038a0a80c95c460e
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.6.42 with commit 9dd7f5663899ea13a6a73216106d9c13c37453e3
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.9.11 with commit 38b88d544216f806d93a273a62ff8ebe82254003
	Issue introduced in 5.17 with commit fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and fixed in 6.10 with commit 522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41058
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/cachefiles/cache.c
	include/trace/events/fscache.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e
	https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3
	https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003
	https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36