CVE-2024-41058
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-41058
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41058.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-41058
- Downstream
- Related
- Published
- 2024-07-29T14:57:20Z
- Modified
- 2025-10-17T08:46:31.795591Z
- Summary
- cachefiles: fix slab-use-after-free in fscache_withdraw_volume()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in fscachewithdrawvolume()
We got the following issue in our fault injection stress test:
================================================================== BUG: KASAN: slab-use-after-free in fscachewithdrawvolume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798
CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasancheckrange+0xf6/0x1b0 fscachewithdrawvolume+0x2e1/0x370 cachefileswithdrawvolume+0x31/0x50 cachefileswithdrawcache+0x3ad/0x900 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230
Allocated by task 5820: _kmalloc+0x1df/0x4b0 fscacheallocvolume+0x70/0x600 _fscacheacquirevolume+0x1c/0x610 erofsfscacheregistervolume+0x96/0x1a0 erofsfscacheregisterfs+0x49a/0x690 erofsfcfillsuper+0x6c0/0xcc0 vfsgetsuper+0xa9/0x140 vfsgettree+0x8e/0x300 donew_mount+0x28c/0x580 [...]
Freed by task 5820: kfree+0xf1/0x2c0 fscacheputvolume.part.0+0x5cb/0x9e0 erofsfscacheunregisterfs+0x157/0x1b0 erofskillsb+0xd9/0x1c0 deactivatelockedsuper+0xa3/0x100 vfsgetsuper+0x105/0x140 vfsgettree+0x8e/0x300 donew_mount+0x28c/0x580
[...]
Following is the process that triggers the issue:
mount failed | daemon exit
deactivatelockedsuper cachefilesdaemonrelease erofskillsb erofsfscacheunregisterfs fscacherelinquishvolume _fscacherelinquishvolume fscacheputvolume(fscachevolume, fscachevolumeputrelinquish) zero = _refcountdecandtest(&fscachevolume->ref, &ref); cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache cachefileswithdrawvolumes listdelinit(&volume->cachelink) fscachefreevolume(fscachevolume) cache->ops->freevolume cachefilesfreevolume listdelinit(&cachefilesvolume->cachelink); kfree(fscachevolume) cachefileswithdrawvolume fscachewithdrawvolume fscachevolume->naccesses // fscache_volume UAF !!!
The fscachevolume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscachetrygetvolume() helper function try to get its reference count.
If the reference count of fscachevolume is 0, fscacheput_volume() is freeing it, so wait for it to be removed from cache->volumes.
If its reference count is not 0, call cachefileswithdrawvolume() with reference count protection to avoid the above issue.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003
- https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36
- https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e
- https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed90f17e47f1e209c6a3c92a1d038a0a80c95c460e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed9dd7f5663899ea13a6a73216106d9c13c37453e3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed38b88d544216f806d93a273a62ff8ebe82254003
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfe2140e2f57fef8562e0f9b7cd447d2b08dc2f35Fixed522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36
Affected versions
v5.*
v5.16
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10-rc1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.10
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"250898840106241533381341716778003262188",
"43208346037655461058234193976211265701",
"171422689663381686703943454151896396192",
"258040520285392455171921850699030720599",
"283211903542827293658109890787231570773",
"32741081322918611799070066543807435764",
"59641842148167951663218573685851618149",
"308225390657316721502575758610967721237",
"215933493393705931023600870378707962790",
"243664469498240292689606751302224367040",
"3804369646733940402228042677535621495",
"281004651609231751402847713652655754909",
"266167665510340394197696888945868875666",
"145906005040369647477730624721889265162",
"292136533377604956743753495394051700119",
"159049220441738027882523813368173337761"
]
},
"signature_type": "Line",
"target": {
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b88d544216f806d93a273a62ff8ebe82254003",
"id": "CVE-2024-41058-33eaa2b7"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"283813266567787633365130047453120667761",
"332377442298292727254551468664257251012",
"325533785270524524388269604689534664335",
"153808524960349959753739327901243483253",
"215272943716933318944223577906341604453",
"220467072175800290039973280837236720495",
"39118118103783740417420061649278448086",
"63348825274699689483632839159934232757",
"235011343777257456935229221300410339580",
"247349952988050384773588452971699817459",
"255336187252680922651968471456664701857",
"338028496248247733706342716141186189342",
"6250211296788448214027185790019386227",
"75253613206970439886806334266248384412",
"200788578967935302808366971045783820263",
"229791602558567686850995700643216522110",
"10045022334927123274431607595073555305",
"38905265045530337461971722764959088832",
"102443133313418250342856691630754241980",
"68097291762707017103556686994795518007"
]
},
"signature_type": "Line",
"target": {
"file": "include/trace/events/fscache.h"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90f17e47f1e209c6a3c92a1d038a0a80c95c460e",
"id": "CVE-2024-41058-408af627"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"250898840106241533381341716778003262188",
"43208346037655461058234193976211265701",
"171422689663381686703943454151896396192",
"258040520285392455171921850699030720599",
"283211903542827293658109890787231570773",
"32741081322918611799070066543807435764",
"59641842148167951663218573685851618149",
"308225390657316721502575758610967721237",
"215933493393705931023600870378707962790",
"243664469498240292689606751302224367040",
"3804369646733940402228042677535621495",
"281004651609231751402847713652655754909",
"266167665510340394197696888945868875666",
"145906005040369647477730624721889265162",
"292136533377604956743753495394051700119",
"159049220441738027882523813368173337761"
]
},
"signature_type": "Line",
"target": {
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90f17e47f1e209c6a3c92a1d038a0a80c95c460e",
"id": "CVE-2024-41058-6eaeafb4"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"283813266567787633365130047453120667761",
"332377442298292727254551468664257251012",
"325533785270524524388269604689534664335",
"153808524960349959753739327901243483253",
"215272943716933318944223577906341604453",
"220467072175800290039973280837236720495",
"39118118103783740417420061649278448086",
"63348825274699689483632839159934232757",
"235011343777257456935229221300410339580",
"247349952988050384773588452971699817459",
"255336187252680922651968471456664701857",
"338028496248247733706342716141186189342",
"6250211296788448214027185790019386227",
"75253613206970439886806334266248384412",
"200788578967935302808366971045783820263",
"229791602558567686850995700643216522110",
"10045022334927123274431607595073555305",
"38905265045530337461971722764959088832",
"102443133313418250342856691630754241980",
"68097291762707017103556686994795518007"
]
},
"signature_type": "Line",
"target": {
"file": "include/trace/events/fscache.h"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b88d544216f806d93a273a62ff8ebe82254003",
"id": "CVE-2024-41058-8161efb8"
},
{
"digest": {
"length": 391.0,
"function_hash": "75553082759187503171089173677771061849"
},
"signature_type": "Function",
"target": {
"function": "cachefiles_withdraw_volumes",
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b88d544216f806d93a273a62ff8ebe82254003",
"id": "CVE-2024-41058-82606993"
},
{
"digest": {
"length": 391.0,
"function_hash": "75553082759187503171089173677771061849"
},
"signature_type": "Function",
"target": {
"function": "cachefiles_withdraw_volumes",
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36",
"id": "CVE-2024-41058-8892eb60"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"250898840106241533381341716778003262188",
"43208346037655461058234193976211265701",
"171422689663381686703943454151896396192",
"258040520285392455171921850699030720599",
"283211903542827293658109890787231570773",
"32741081322918611799070066543807435764",
"59641842148167951663218573685851618149",
"308225390657316721502575758610967721237",
"215933493393705931023600870378707962790",
"243664469498240292689606751302224367040",
"3804369646733940402228042677535621495",
"281004651609231751402847713652655754909",
"266167665510340394197696888945868875666",
"145906005040369647477730624721889265162",
"292136533377604956743753495394051700119",
"159049220441738027882523813368173337761"
]
},
"signature_type": "Line",
"target": {
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36",
"id": "CVE-2024-41058-af17ff91"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"283813266567787633365130047453120667761",
"332377442298292727254551468664257251012",
"325533785270524524388269604689534664335",
"153808524960349959753739327901243483253",
"215272943716933318944223577906341604453",
"220467072175800290039973280837236720495",
"39118118103783740417420061649278448086",
"63348825274699689483632839159934232757",
"235011343777257456935229221300410339580",
"247349952988050384773588452971699817459",
"255336187252680922651968471456664701857",
"338028496248247733706342716141186189342",
"6250211296788448214027185790019386227",
"75253613206970439886806334266248384412",
"200788578967935302808366971045783820263",
"229791602558567686850995700643216522110",
"10045022334927123274431607595073555305",
"38905265045530337461971722764959088832",
"102443133313418250342856691630754241980",
"68097291762707017103556686994795518007"
]
},
"signature_type": "Line",
"target": {
"file": "include/trace/events/fscache.h"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9dd7f5663899ea13a6a73216106d9c13c37453e3",
"id": "CVE-2024-41058-d4bf95eb"
},
{
"digest": {
"length": 391.0,
"function_hash": "75553082759187503171089173677771061849"
},
"signature_type": "Function",
"target": {
"function": "cachefiles_withdraw_volumes",
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90f17e47f1e209c6a3c92a1d038a0a80c95c460e",
"id": "CVE-2024-41058-dc1fef35"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"250898840106241533381341716778003262188",
"43208346037655461058234193976211265701",
"171422689663381686703943454151896396192",
"258040520285392455171921850699030720599",
"283211903542827293658109890787231570773",
"32741081322918611799070066543807435764",
"59641842148167951663218573685851618149",
"308225390657316721502575758610967721237",
"215933493393705931023600870378707962790",
"243664469498240292689606751302224367040",
"3804369646733940402228042677535621495",
"281004651609231751402847713652655754909",
"266167665510340394197696888945868875666",
"145906005040369647477730624721889265162",
"292136533377604956743753495394051700119",
"159049220441738027882523813368173337761"
]
},
"signature_type": "Line",
"target": {
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9dd7f5663899ea13a6a73216106d9c13c37453e3",
"id": "CVE-2024-41058-df564e78"
},
{
"digest": {
"length": 391.0,
"function_hash": "75553082759187503171089173677771061849"
},
"signature_type": "Function",
"target": {
"function": "cachefiles_withdraw_volumes",
"file": "fs/cachefiles/cache.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9dd7f5663899ea13a6a73216106d9c13c37453e3",
"id": "CVE-2024-41058-e9956496"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"283813266567787633365130047453120667761",
"332377442298292727254551468664257251012",
"325533785270524524388269604689534664335",
"153808524960349959753739327901243483253",
"215272943716933318944223577906341604453",
"220467072175800290039973280837236720495",
"39118118103783740417420061649278448086",
"63348825274699689483632839159934232757",
"235011343777257456935229221300410339580",
"247349952988050384773588452971699817459",
"255336187252680922651968471456664701857",
"338028496248247733706342716141186189342",
"6250211296788448214027185790019386227",
"75253613206970439886806334266248384412",
"200788578967935302808366971045783820263",
"229791602558567686850995700643216522110",
"10045022334927123274431607595073555305",
"38905265045530337461971722764959088832",
"102443133313418250342856691630754241980",
"68097291762707017103556686994795518007"
]
},
"signature_type": "Line",
"target": {
"file": "include/trace/events/fscache.h"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36",
"id": "CVE-2024-41058-f9d9ffcb"
}
]