2297484 – (CVE-2024-40900) CVE-2024-40900 kernel: cachefiles: remove requests from xarray during flushing requests

Bug 2297484 (CVE-2024-40900) - CVE-2024-40900 kernel: cachefiles: remove requests from xarray during flushing requests

Summary: CVE-2024-40900 kernel: cachefiles: remove requests from xarray during flushin...

Keywords:
Status:	NEW
Alias:	CVE-2024-40900
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-12 13:25 UTC by OSIDB Bzimport
Modified:	2024-09-23 00:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the Linux kernel's cachefiles component, during the flushing of requests, this issue arises when requests are not properly removed from the xarray, leading to a use-after-free condition where a request can be accessed after it has been freed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-12 13:25:04 UTC

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: remove requests from xarray during flushing requests

Even with CACHEFILES_DEAD set, we can still read the requests, so in the
following concurrency the request may be used after it has been freed:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
 cachefiles_ondemand_init_object
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)
            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
                                  // close dev fd
                                  cachefiles_flush_reqs
                                   complete(&REQ_A->done)
   kfree(REQ_A)
              xa_lock(&cache->reqs);
              cachefiles_ondemand_select_req
                req->msg.opcode != CACHEFILES_OP_READ
                // req use-after-free !!!
              xa_unlock(&cache->reqs);
                                   xa_destroy(&cache->reqs)

Hence remove requests from cache->reqs when flushing them to avoid
accessing freed requests.

Note You need to log in before you can comment on or make changes to this bug.