CVE-2024-41057
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-41057
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41057.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-41057
- Downstream
- Related
- Published
- 2024-07-29T14:57:19Z
- Modified
- 2025-11-04T07:58:14.539780Z
- Summary
- cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in cachefileswithdrawcookie()
We got the following issue in our fault injection stress test:
================================================================== BUG: KASAN: slab-use-after-free in cachefileswithdrawcookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109
CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasanreport+0x93/0xc0 cachefileswithdrawcookie+0x4d9/0x600 fscachecookiestatemachine+0x5c8/0x1230 fscachecookieworker+0x91/0x1c0 processonework+0x7fa/0x1800 [...]
Allocated by task 117: kmalloctrace+0x1b3/0x3c0 cachefilesacquirevolume+0xf3/0x9c0 fscachecreatevolumework+0x97/0x150 processonework+0x7fa/0x1800 [...]
Freed by task 120301: kfree+0xf1/0x2c0 cachefileswithdrawcache+0x3fa/0x920 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230 do_exit+0x87a/0x29b0
[...]
Following is the process that triggers the issue:
p1 | p2
fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache)cachefilesdaemonrelease cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache fscachewithdrawcache fscachesetcachestate(cache, FSCACHECACHEISWITHDRAWN); cachefileswithdrawobjects(cache) fscachewaitforobjects(fscache) atomicread(&fscachecache->objectcount) == 0 fscacheperformlookup cachefileslookupcookie cachefilesallocobject refcountset(&object->ref, 1); object->volume = volume fscachecountobject(vcookie->cache); atomicinc(&fscachecache->objectcount) cachefileswithdrawvolumes cachefileswithdrawvolume fscachewithdrawvolume _cachefilesfreevolume kfree(cachefilesvolume) fscachecookiestatemachine cachefileswithdrawcookie cache = object->volume->cache; // cachefiles_volume UAF !!!
After setting FSCACHECACHEISWITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscachecache->objectcount == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscachewithdrawvolume() before calling cachefileswithdraw_objects().
This way, after setting FSCACHECACHEISWITHDRAWN, only the following two cases will occur: 1) fscachebeginlookup fails in fscachebeginvolumeaccess(). 2) fscachewithdrawvolume() will ensure that fscachecountobject() has been executed before calling fscachewaitfor_objects().
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4
- https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1
- https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
- https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed8de253177112a47c9af157d23ae934779188b4e1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed9e67589a4a7b7e5660b524d1d5fe61242bcbcc11
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixedef81340401e8a371d6b17f69e76d861920972cfe
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed5d8f805789072ea7fd39504694b7bd17e5f751c4
Affected versions
v5.*
v5.16
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10-rc1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.10
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"target": {
"file": "fs/cachefiles/volume.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"262705893389240477011356788617628312791",
"218038392632073377552851200423304038424",
"209984587551995221359242894135982796840",
"191725992399735855429873374564733377099"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-0120f63b"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de253177112a47c9af157d23ae934779188b4e1",
"target": {
"function": "cachefiles_withdraw_cache",
"file": "fs/cachefiles/cache.c"
},
"digest": {
"length": 275.0,
"function_hash": "115059350325746980819122105720513195269"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-08383058"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8f805789072ea7fd39504694b7bd17e5f751c4",
"target": {
"file": "fs/cachefiles/cache.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"255605662103502361481757104167248297508",
"290630078633917372717690735775909997354",
"85710644442774017476881007810818323996",
"283967014402522649428579176664239792740",
"249698317711926772838925013870578683626",
"285749108460836631975993461424991972842",
"147127825412223039824017800181584081401"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-0de9ae69"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de253177112a47c9af157d23ae934779188b4e1",
"target": {
"function": "cachefiles_withdraw_volume",
"file": "fs/cachefiles/volume.c"
},
"digest": {
"length": 110.0,
"function_hash": "119416352818316522906377505464699397688"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-12e9c5f2"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8f805789072ea7fd39504694b7bd17e5f751c4",
"target": {
"file": "fs/cachefiles/volume.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"262705893389240477011356788617628312791",
"218038392632073377552851200423304038424",
"209984587551995221359242894135982796840",
"191725992399735855429873374564733377099"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-288cb873"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef81340401e8a371d6b17f69e76d861920972cfe",
"target": {
"function": "cachefiles_withdraw_cache",
"file": "fs/cachefiles/cache.c"
},
"digest": {
"length": 275.0,
"function_hash": "115059350325746980819122105720513195269"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-28b6497b"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef81340401e8a371d6b17f69e76d861920972cfe",
"target": {
"file": "fs/cachefiles/volume.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"262705893389240477011356788617628312791",
"218038392632073377552851200423304038424",
"209984587551995221359242894135982796840",
"191725992399735855429873374564733377099"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-41398cab"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de253177112a47c9af157d23ae934779188b4e1",
"target": {
"file": "fs/cachefiles/volume.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"262705893389240477011356788617628312791",
"218038392632073377552851200423304038424",
"209984587551995221359242894135982796840",
"191725992399735855429873374564733377099"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-65549fbb"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef81340401e8a371d6b17f69e76d861920972cfe",
"target": {
"function": "cachefiles_withdraw_volume",
"file": "fs/cachefiles/volume.c"
},
"digest": {
"length": 110.0,
"function_hash": "119416352818316522906377505464699397688"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-68b243e2"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"target": {
"file": "fs/cachefiles/cache.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"255605662103502361481757104167248297508",
"290630078633917372717690735775909997354",
"85710644442774017476881007810818323996",
"283967014402522649428579176664239792740",
"249698317711926772838925013870578683626",
"285749108460836631975993461424991972842",
"147127825412223039824017800181584081401"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-72fb32bc"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"target": {
"function": "cachefiles_withdraw_volume",
"file": "fs/cachefiles/volume.c"
},
"digest": {
"length": 110.0,
"function_hash": "119416352818316522906377505464699397688"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-a7787b34"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8f805789072ea7fd39504694b7bd17e5f751c4",
"target": {
"function": "cachefiles_withdraw_cache",
"file": "fs/cachefiles/cache.c"
},
"digest": {
"length": 275.0,
"function_hash": "115059350325746980819122105720513195269"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-ab98bb98"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8f805789072ea7fd39504694b7bd17e5f751c4",
"target": {
"function": "cachefiles_withdraw_volume",
"file": "fs/cachefiles/volume.c"
},
"digest": {
"length": 110.0,
"function_hash": "119416352818316522906377505464699397688"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-d1ecda5b"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de253177112a47c9af157d23ae934779188b4e1",
"target": {
"file": "fs/cachefiles/cache.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"255605662103502361481757104167248297508",
"290630078633917372717690735775909997354",
"85710644442774017476881007810818323996",
"283967014402522649428579176664239792740",
"249698317711926772838925013870578683626",
"285749108460836631975993461424991972842",
"147127825412223039824017800181584081401"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-d42e033d"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"target": {
"function": "cachefiles_withdraw_cache",
"file": "fs/cachefiles/cache.c"
},
"digest": {
"length": 275.0,
"function_hash": "115059350325746980819122105720513195269"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-41057-d95cbd72"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef81340401e8a371d6b17f69e76d861920972cfe",
"target": {
"file": "fs/cachefiles/cache.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"255605662103502361481757104167248297508",
"290630078633917372717690735775909997354",
"85710644442774017476881007810818323996",
"283967014402522649428579176664239792740",
"249698317711926772838925013870578683626",
"285749108460836631975993461424991972842",
"147127825412223039824017800181584081401"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-41057-e3c7a6bb"
}
]