Bug 2300451 (CVE-2024-41074) - CVE-2024-41074 kernel: cachefiles: Set object to close if ondemand_id < 0 in copen
Summary: CVE-2024-41074 kernel: cachefiles: Set object to close if ondemand_id < 0 ...
Keywords:
Status: NEW
Alias: CVE-2024-41074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2301639
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-29 15:50 UTC by OSIDB Bzimport
Modified: 2024-10-14 11:26 UTC (History)
4 users (show)

Fixed In Version: kernel 6.1.101, kernel 6.6.42, kernel 6.9.11, kernel 6.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the `cachefiles` subsystem in the Linux Kernel involving the `copen` function being misused with an `ondemand_id` less than 0. This could lead to the deletion of a request before it was read, causing the request to be skipped and blocking other processes. The issue was fixed by ensuring that if the `ondemand_id` is less than 0, the object is set to close. This prevents requests from being skipped and ensures proper handling and completion of read requests, maintaining system stability.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-29 15:50:16 UTC
In the Linux kernel, the following vulnerability has been resolved:

cachefiles: Set object to close if ondemand_id < 0 in copen

If copen is maliciously called in the user mode, it may delete the request
corresponding to the random id. And the request may have not been read yet.

Note that when the object is set to reopen, the open request will be done
with the still reopen state in above case. As a result, the request
corresponding to this object is always skipped in select_req function, so
the read request is never completed and blocks other process.

Fix this issue by simply set object to close if its id < 0 in copen.

Comment 1 Mauro Matteo Cascella 2024-07-30 13:49:08 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024072910-CVE-2024-41074-e5d9@gregkh/T

Comment 2 Mauro Matteo Cascella 2024-07-30 13:49:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2301639]


Note You need to log in before you can comment on or make changes to this bug.