cachefiles_ondemand_init_object
cachefiles_ondemand_send_req
REQ_A = kzalloc(sizeof(*req) + data_len)
wait_for_completion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
// close dev fd
cachefiles_flush_reqs
complete(&REQ_A->done)
kfree(REQ_A)
xa_lock(&cache->reqs);
cachefiles_ondemand_select_req
req->msg.opcode != CACHEFILES_OP_READ
// req use-after-free !!!
xa_unlock(&cache->reqs);
xa_destroy(&cache->reqs)
Hence remove requests from cache->reqs when flushing them to avoid
accessing freed requests.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/0fc75c5940fa634d84e64c93bfc388e1274ed013 (6.10-rc4)
git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013
git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19
git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598
git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
launchpad.net/bugs/cve/CVE-2024-40900
nvd.nist.gov/vuln/detail/CVE-2024-40900
security-tracker.debian.org/tracker/CVE-2024-40900
www.cve.org/CVERecord?id=CVE-2024-40900