CVE-2024-40899

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40899
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40899.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40899
Downstream
Related
Published
2024-07-12T12:20:41Z
Modified
2025-10-16T19:16:17.941710Z
Summary
cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefilesondemandget_fd()

We got the following issue in a fuzz test of randomly issuing the restore command:

================================================================== BUG: KASAN: slab-use-after-free in cachefilesondemanddaemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962

CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasanreport+0x94/0xc0 cachefilesondemanddaemonread+0x609/0xab0 vfsread+0x169/0xb50 ksysread+0xf5/0x1e0

Allocated by task 626: _kmalloc+0x1df/0x4b0 cachefilesondemandsendreq+0x24d/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestatemachine+0x43c/0x1230 [...]

Freed by task 626: kfree+0xf1/0x2c0 cachefilesondemandsendreq+0x568/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestate_machine+0x43c/0x1230

[...]

Following is the process that triggers the issue:

mount | daemonthread1 | daemonthread2

cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQ_A->done)

        cachefiles_daemon_read
         cachefiles_ondemand_daemon_read
          REQ_A = cachefiles_ondemand_select_req
          cachefiles_ondemand_get_fd
          copy_to_user(_buffer, msg, n)
        process_open_req(REQ_A)
                              ------ restore ------
                              cachefiles_ondemand_restore
                              xas_for_each(&xas, req, ULONG_MAX)
                               xas_set_mark(&xas, CACHEFILES_REQ_NEW);

                              cachefiles_daemon_read
                               cachefiles_ondemand_daemon_read
                                REQ_A = cachefiles_ondemand_select_req

         write(devfd, ("copen %u,%llu", msg->msg_id, size));
         cachefiles_ondemand_copen
          xa_erase(&cache->reqs, id)
          complete(&REQ_A->done)

kfree(REQA) cachefilesondemandgetfd(REQA) fd = getunusedfdflags file = anoninodegetfile fdinstall(fd, file) load = (void *)REQA->msg.data; load->fd = fd; // load UAF !!!

This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over.

Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a0cc87f86698174aacc083c4652d2606007dd902
Fixed
99e9c5bd27ddefa0f9db88625bf5e31c1e833d62
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9f5fa40f0924e9de85b16c6d1aea80327ce647d8
Fixed
a6de82765e12fb1201ab607f0d3ffe3309b30fc0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3
Fixed
1d902d9a3aa4f2a8bda698294e34be788be012fc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e73fa11a356ca0905c3cc648eaacc6f0f2d2c8b3
Fixed
de3e26f9e5b76fc628077578c001c4a51bf54d06

Affected versions

v6.*

v6.7
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.9.6