LinuxCVELIST:CVE-2024-41051CVE-2024-41051 cachefiles: wait for ondemand_object_worker to finish when dropping object
EPSS
Percentile
16.2%
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: wait for ondemand_object_worker to finish when dropping object
When queuing ondemand_object_worker() to re-open the object,
cachefiles_object is not pinned. The cachefiles_object may be freed when
the pending read request is completed intentionally and the related
erofs is umounted. If ondemand_object_worker() runs after the object is
freed, it will incur use-after-free problem as shown below.
process A processs B process C process D
cachefiles_ondemand_send_req()
// send a read req X
// wait for its completion
// close ondemand fd
cachefiles_ondemand_fd_release()
// set object as CLOSE
cachefiles_ondemand_daemon_read()
// set object as REOPENING
queue_work(fscache_wq, &info->ondemand_work)
// close /dev/cachefiles
cachefiles_daemon_release
cachefiles_flush_reqs
complete(&req->done)
// read req X is completed
// umount the erofs fs
cachefiles_put_object()
// object will be freed
cachefiles_ondemand_deinit_obj_info()
kmem_cache_free(object)
// both info and object are freed
ondemand_object_worker()
When dropping an object, it is no longer necessary to reopen the object,
so use cancel_work_sync() to cancel or wait for ondemand_object_worker()
to finish.
CNA Affected
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/cachefiles/ondemand.c"
],
"versions": [
{
"version": "f17443d52d80",
"lessThan": "ec9289369259",
"status": "affected",
"versionType": "git"
},
{
"version": "f740fd943bb1",
"lessThan": "d3179bae72b1",
"status": "affected",
"versionType": "git"
},
{
"version": "0a7e54c1959c",
"lessThan": "b26525b21836",
"status": "affected",
"versionType": "git"
},
{
"version": "0a7e54c1959c",
"lessThan": "12e009d60852",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/cachefiles/ondemand.c"
],
"versions": [
{
"version": "6.8",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.8",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.100",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.41",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9.10",
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.10",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]Related
