Bug 2297519 (CVE-2024-40935) - CVE-2024-40935 kernel: cachefiles: flush all requests after setting CACHEFILES_DEAD
Summary: CVE-2024-40935 kernel: cachefiles: flush all requests after setting CACHEFILE...
Keywords:
Status: NEW
Alias: CVE-2024-40935
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-12 13:35 UTC by OSIDB Bzimport
Modified: 2024-09-23 01:50 UTC (History)
4 users (show)

Fixed In Version: kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's cachefiles component, where requests were not properly flushed after marking the cache as CACHEFILES_DEAD in ondemand mode, when this flag is set, the cachefiles_daemon_write() function returns -EIO, preventing the daemon from passing the open request to the kernel, leading to a hungtask situation.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-12 13:35:40 UTC
In the Linux kernel, the following vulnerability has been resolved:

cachefiles: flush all requests after setting CACHEFILES_DEAD

In ondemand mode, when the daemon is processing an open request, if the
kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()
will always return -EIO, so the daemon can't pass the copen to the kernel.
Then the kernel process that is waiting for the copen triggers a hung_task.

Since the DEAD state is irreversible, it can only be exited by closing
/dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark
the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to
avoid the above hungtask. We may still be able to read some of the cached
data before closing the fd of /dev/cachefiles.

Note that this relies on the patch that adds reference counting to the req,
otherwise it may UAF.


Note You need to log in before you can comment on or make changes to this bug.