CVE-2024-40900

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-40900
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40900.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40900
Downstream
Related
Published
2024-07-12T12:20:42.192Z
Modified
2026-03-20T12:37:22.434663Z
Summary
cachefiles: remove requests from xarray during flushing requests
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: remove requests from xarray during flushing requests

Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed:

mount | daemonthread1 | daemonthread2

cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQA->done) cachefilesdaemonread cachefilesondemanddaemonread // close dev fd cachefilesflushreqs complete(&REQA->done) kfree(REQA) xalock(&cache->reqs); cachefilesondemandselectreq req->msg.opcode != CACHEFILESOPREAD // req use-after-free !!! xaunlock(&cache->reqs); xadestroy(&cache->reqs)

Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40900.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c8383054506c77b814489c09877b5db83fd4abf2
Fixed
9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
Fixed
50d0e55356ba5b84ffb51c42704126124257e598
Fixed
37e19cf86a520d65de1de9cb330415c332a40d19
Fixed
0fc75c5940fa634d84e64c93bfc388e1274ed013

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40900.json"