2297519 – (CVE-2024-40935) CVE-2024-40935 kernel: cachefiles: flush all requests after setting CACHEFILES_DEAD

Bug 2297519 (CVE-2024-40935) - CVE-2024-40935 kernel: cachefiles: flush all requests after setting CACHEFILES_DEAD

Summary: CVE-2024-40935 kernel: cachefiles: flush all requests after setting CACHEFILE...

Keywords:
Status:	NEW
Alias:	CVE-2024-40935
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-12 13:35 UTC by OSIDB Bzimport
Modified:	2024-07-26 05:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-12 13:35:40 UTC

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: flush all requests after setting CACHEFILES_DEAD

In ondemand mode, when the daemon is processing an open request, if the
kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()
will always return -EIO, so the daemon can't pass the copen to the kernel.
Then the kernel process that is waiting for the copen triggers a hung_task.

Since the DEAD state is irreversible, it can only be exited by closing
/dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark
the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to
avoid the above hungtask. We may still be able to read some of the cached
data before closing the fd of /dev/cachefiles.

Note that this relies on the patch that adds reference counting to the req,
otherwise it may UAF.

Note You need to log in before you can comment on or make changes to this bug.