CVE-2024-40900
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-40900
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40900.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-40900
- Downstream
- Related
- Published
- 2024-07-12T12:20:42.192Z
- Modified
- 2025-11-28T02:33:59.581440Z
- Summary
- cachefiles: remove requests from xarray during flushing requests
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: remove requests from xarray during flushing requests
Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed:
mount | daemonthread1 | daemonthread2
cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQA->done) cachefilesdaemonread cachefilesondemanddaemonread // close dev fd cachefilesflushreqs complete(&REQA->done) kfree(REQA) xalock(&cache->reqs); cachefilesondemandselectreq req->msg.opcode != CACHEFILESOPREAD // req use-after-free !!! xaunlock(&cache->reqs); xadestroy(&cache->reqs)
Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40900.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013
- https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19
- https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598
- https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40900.json
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-40900
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc8383054506c77b814489c09877b5db83fd4abf2Fixed9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7Fixed50d0e55356ba5b84ffb51c42704126124257e598Fixed37e19cf86a520d65de1de9cb330415c332a40d19Fixed0fc75c5940fa634d84e64c93bfc388e1274ed013