CVE-2024-41057

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41057
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41057.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-41057
Downstream
Related
Published
2024-07-29T14:57:19Z
Modified
2025-10-09T14:00:33.213778Z
Summary
cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefileswithdrawcookie()

We got the following issue in our fault injection stress test:

================================================================== BUG: KASAN: slab-use-after-free in cachefileswithdrawcookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109

CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasanreport+0x93/0xc0 cachefileswithdrawcookie+0x4d9/0x600 fscachecookiestatemachine+0x5c8/0x1230 fscachecookieworker+0x91/0x1c0 processonework+0x7fa/0x1800 [...]

Allocated by task 117: kmalloctrace+0x1b3/0x3c0 cachefilesacquirevolume+0xf3/0x9c0 fscachecreatevolumework+0x97/0x150 processonework+0x7fa/0x1800 [...]

Freed by task 120301: kfree+0xf1/0x2c0 cachefileswithdrawcache+0x3fa/0x920 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230 do_exit+0x87a/0x29b0

[...]

Following is the process that triggers the issue:

p1 | p2

                          fscache_begin_lookup
                           fscache_begin_volume_access
                            fscache_cache_is_live(fscache_cache)

cachefilesdaemonrelease cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache fscachewithdrawcache fscachesetcachestate(cache, FSCACHECACHEISWITHDRAWN); cachefileswithdrawobjects(cache) fscachewaitforobjects(fscache) atomicread(&fscachecache->objectcount) == 0 fscacheperformlookup cachefileslookupcookie cachefilesallocobject refcountset(&object->ref, 1); object->volume = volume fscachecountobject(vcookie->cache); atomicinc(&fscachecache->objectcount) cachefileswithdrawvolumes cachefileswithdrawvolume fscachewithdrawvolume _cachefilesfreevolume kfree(cachefilesvolume) fscachecookiestatemachine cachefileswithdrawcookie cache = object->volume->cache; // cachefiles_volume UAF !!!

After setting FSCACHECACHEISWITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscachecache->objectcount == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscachewithdrawvolume() before calling cachefileswithdraw_objects().

This way, after setting FSCACHECACHEISWITHDRAWN, only the following two cases will occur: 1) fscachebeginlookup fails in fscachebeginvolumeaccess(). 2) fscachewithdrawvolume() will ensure that fscachecountobject() has been executed before calling fscachewaitfor_objects().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35
Fixed
8de253177112a47c9af157d23ae934779188b4e1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35
Fixed
9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35
Fixed
ef81340401e8a371d6b17f69e76d861920972cfe
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35
Fixed
5d8f805789072ea7fd39504694b7bd17e5f751c4

Affected versions

v5.*

v5.16
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10-rc1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.10
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.1.101
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.42
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.11