CVE-2024-41058

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41058
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41058.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-41058
Related
Published
2024-07-29T15:15:13Z
Modified
2024-09-11T04:59:22.333028Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in fscachewithdrawvolume()

We got the following issue in our fault injection stress test:

================================================================== BUG: KASAN: slab-use-after-free in fscachewithdrawvolume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798

CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasancheckrange+0xf6/0x1b0 fscachewithdrawvolume+0x2e1/0x370 cachefileswithdrawvolume+0x31/0x50 cachefileswithdrawcache+0x3ad/0x900 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230

Allocated by task 5820: _kmalloc+0x1df/0x4b0 fscacheallocvolume+0x70/0x600 _fscacheacquirevolume+0x1c/0x610 erofsfscacheregistervolume+0x96/0x1a0 erofsfscacheregisterfs+0x49a/0x690 erofsfcfillsuper+0x6c0/0xcc0 vfsgetsuper+0xa9/0x140 vfsgettree+0x8e/0x300 donew_mount+0x28c/0x580 [...]

Freed by task 5820: kfree+0xf1/0x2c0 fscacheputvolume.part.0+0x5cb/0x9e0 erofsfscacheunregisterfs+0x157/0x1b0 erofskillsb+0xd9/0x1c0 deactivatelockedsuper+0xa3/0x100 vfsgetsuper+0x105/0x140 vfsgettree+0x8e/0x300 donew_mount+0x28c/0x580

[...]

Following is the process that triggers the issue:

mount failed | daemon exit

deactivatelockedsuper cachefilesdaemonrelease erofskillsb erofsfscacheunregisterfs fscacherelinquishvolume _fscacherelinquishvolume fscacheputvolume(fscachevolume, fscachevolumeputrelinquish) zero = _refcountdecandtest(&fscachevolume->ref, &ref); cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache cachefileswithdrawvolumes listdelinit(&volume->cachelink) fscachefreevolume(fscachevolume) cache->ops->freevolume cachefilesfreevolume listdelinit(&cachefilesvolume->cachelink); kfree(fscachevolume) cachefileswithdrawvolume fscachewithdrawvolume fscachevolume->naccesses // fscache_volume UAF !!!

The fscachevolume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscachetrygetvolume() helper function try to get its reference count.

If the reference count of fscachevolume is 0, fscacheput_volume() is freeing it, so wait for it to be removed from cache->volumes.

If its reference count is not 0, call cachefileswithdrawvolume() with reference count protection to avoid the above issue.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.106-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.9.11-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}