DEBIAN-CVE-2024-41051

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2024-41051

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-41051.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-41051

Upstream

CVE-2024-41051

Published

2024-07-29T15:15:13Z

Modified

2025-09-19T07:35:11.975020Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemandobjectworker to finish when dropping object When queuing ondemandobjectworker() to re-open the object, cachefilesobject is not pinned. The cachefilesobject may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemandobjectworker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefilesondemandsendreq() // send a read req X // wait for its completion // close ondemand fd cachefilesondemandfdrelease() // set object as CLOSE cachefilesondemanddaemonread() // set object as REOPENING queuework(fscachewq, &info->ondemandwork) // close /dev/cachefiles cachefilesdaemonrelease cachefilesflushreqs complete(&req->done) // read req X is completed // umount the erofs fs cachefilesputobject() // object will be freed cachefilesondemanddeinitobjinfo() kmemcachefree(object) // both info and object are freed ondemandobjectworker() When dropping an object, it is no longer necessary to reopen the object, so use cancelworksync() to cancel or wait for ondemandobjectworker() to finish.

References

https://security-tracker.debian.org/tracker/CVE-2024-41051

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.106-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name: linux-6.1
Purl: pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.119-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1

6.1.106-3~deb11u2

6.1.106-3~deb11u3

6.1.112-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}