DEBIAN-CVE-2024-40899

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefilesondemandgetfd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefilesondemanddaemonread+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasanreport+0x94/0xc0 cachefilesondemanddaemonread+0x609/0xab0 vfsread+0x169/0xb50 ksysread+0xf5/0x1e0 Allocated by task 626: _kmalloc+0x1df/0x4b0 cachefilesondemandsendreq+0x24d/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestatemachine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefilesondemandsendreq+0x568/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestatemachine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemonthread1 | daemonthread2 ------------------------------------------------------------ cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQA->done) cachefilesdaemonread cachefilesondemanddaemonread REQA = cachefilesondemandselectreq cachefilesondemandgetfd copytouser(buffer, msg, n) processopenreq(REQA) ------ restore ------ cachefilesondemandrestore xasforeach(&xas, req, ULONGMAX) xassetmark(&xas, CACHEFILESREQNEW); cachefilesdaemonread cachefilesondemanddaemonread REQA = cachefilesondemandselectreq write(devfd, ("copen %u,%llu", msg->msgid, size)); cachefilesondemandcopen xaerase(&cache->reqs, id) complete(&REQA->done) kfree(REQA) cachefilesondemandgetfd(REQA) fd = getunusedfdflags file = anoninodegetfile fdinstall(fd, file) load = (void *)REQA->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefilesreq, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.