CVE-2024-41051

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41051
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41051.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-41051
Downstream
Related
Published
2024-07-29T14:32:07Z
Modified
2025-10-17T09:24:00.754969Z
Summary
cachefiles: wait for ondemand_object_worker to finish when dropping object
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: wait for ondemandobjectworker to finish when dropping object

When queuing ondemandobjectworker() to re-open the object, cachefilesobject is not pinned. The cachefilesobject may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemandobjectworker() runs after the object is freed, it will incur use-after-free problem as shown below.

process A processs B process C process D

cachefilesondemandsend_req() // send a read req X // wait for its completion

       // close ondemand fd
       cachefiles_ondemand_fd_release()
       // set object as CLOSE

                   cachefiles_ondemand_daemon_read()
                   // set object as REOPENING
                   queue_work(fscache_wq, &info->ondemand_work)

                            // close /dev/cachefiles
                            cachefiles_daemon_release
                            cachefiles_flush_reqs
                            complete(&req->done)

// read req X is completed // umount the erofs fs cachefilesputobject() // object will be freed cachefilesondemanddeinitobjinfo() kmemcachefree(object) // both info and object are freed ondemandobjectworker()

When dropping an object, it is no longer necessary to reopen the object, so use cancelworksync() to cancel or wait for ondemandobjectworker() to finish.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f17443d52d805c9a7fab5e67a4e8b973626fe1cd
Fixed
ec9289369259d982e735a71437e32e6b4035290c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f740fd943bb1fbf79b7eaba3c71eb7536f437f51
Fixed
d3179bae72b1b5e555ba839d6d9f40a350a4d78a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a7e54c1959c0feb2de23397ec09c7692364313e
Fixed
b26525b2183632f16a3a4108fe6a4bfa8afac6ed
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a7e54c1959c0feb2de23397ec09c7692364313e
Fixed
12e009d60852f7bce0afc373ca0b320f14150418

Affected versions

v6.*

v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10-rc1
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.40
v6.7
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.100
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.41
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.10