Home

CVE-2024-40899

Description

In the Linux kernel, the following vulnerability has been resolved:cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()We got the following issue in a fuzz test of randomly issuing the restorecommand:==================================================================BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...]Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...]==================================================================Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, (copen %u,%llu, msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!!This issue is caused by issuing a restore command when the daemon is stillalive, which results in a request being processed multiple times thustriggering a UAF. So to avoid this problem, add an additional referencecount to cachefiles_req, which is held while waiting and reading, and thenreleased when the waiting and reading is over.Note that since there is only one reference count for waiting, we need toavoid the same request being completed multiple times, so we can onlycomplete the request if it is successfully removed from the xarray.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.015

Associated Vulnerability

VulnerabilityOS Platform
linux security update(DSA-5731-1) linux-source-6.1_6.1.99-1_all.debLinux
linux security update(DSA-5731-1) linux-source_6.1.99-1_all.debLinux
linux security update(DSA-5731-1) linux-perf_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-perf_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-libc-dev_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-libc-dev_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-kbuild-6.1_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-kbuild-6.1_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-image-rt-amd64-dbg_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-image-rt-686-pae-dbg_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-image-i386-signed-template_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-image-cloud-amd64-dbg_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-image-amd64-signed-template_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-image-amd64-dbg_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-image-686-pae-dbg_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-image-686-dbg_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-doc-6.1_6.1.99-1_all.debLinux
linux security update(DSA-5731-1) linux-doc_6.1.99-1_all.debLinux
linux security update(DSA-5731-1) linux-cpupower_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-cpupower_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-config-6.1_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-config-6.1_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) linux-compiler-gcc-12-x86_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) linux-compiler-gcc-12-x86_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) usbip_2.0+6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) usbip_2.0+6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) rtla_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) rtla_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) hyperv-daemons_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) hyperv-daemons_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) bpftool_7.1.0+6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) bpftool_7.1.0+6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) libcpupower1_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) libcpupower1_6.1.99-1_amd64.debLinux
linux security update(DSA-5731-1) libcpupower-dev_6.1.99-1_i386.debLinux
linux security update(DSA-5731-1) libcpupower-dev_6.1.99-1_amd64.debLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-syms-azure-6.4.0-150600.8.11.1.x86_64.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-source-azure-6.4.0-150600.8.11.1.noarch.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-devel-azure-6.4.0-150600.8.11.1.noarch.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-azure-devel-debuginfo-6.4.0-150600.8.11.1.x86_64.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-azure-devel-6.4.0-150600.8.11.1.x86_64.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-azure-debugsource-6.4.0-150600.8.11.1.x86_64.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-azure-debuginfo-6.4.0-150600.8.11.1.x86_64.rpmLinux
SUSE-SU-2024:3194-1(Public Cloud Module 15-SP6) kernel-azure-6.4.0-150600.8.11.1.x86_64.rpmLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1010-gke_6.8.0-1010.13_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1012-ibm_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1012-oem_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1012-oracle_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1014-gcp_6.8.0-1014.16_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-1015-aws_6.8.0-1015.16_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-44-generic_6.8.0-44.44_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-6.8.0-44-lowlatency_6.8.0-44.44.1_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-aws_6.8.0-1015.16_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-gcp_6.8.0-1014.16_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-generic_6.8.0-44.44_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-generic-hwe-24.04_6.8.0-44.44_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-gke_6.8.0-1010.13_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-ibm_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-ibm-classic_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-ibm-lts-24.04_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-kvm_6.8.0-44.44_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-lowlatency_6.8.0-44.44.1_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-oracle_6.8.0-1012.12_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-virtual_6.8.0-44.44_amd64.debLinux
Linux kernel (USN-6999-1) linux-image-virtual-hwe-24.04_6.8.0-44.44_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7004-1) linux-image-6.8.0-1014-azure_6.8.0-1014.16_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7004-1) linux-image-6.8.0-1014-azure-fde_6.8.0-1014.16_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7004-1) linux-image-azure_6.8.0-1014.16_amd64.debLinux
Linux kernel for Microsoft Azure Cloud systems (USN-7004-1) linux-image-azure-fde_6.8.0-1014.16_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-1) linux-image-6.8.0-1013-nvidia_6.8.0-1013.14_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-1) linux-image-6.8.0-1013-nvidia-lowlatency_6.8.0-1013.14.1_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-1) linux-image-nvidia_6.8.0-1013.13_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-1) linux-image-nvidia-lowlatency_6.8.0-1013.14.1_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-2) linux-image-6.8.0-1013-nvidia_6.8.0-1013.14~22.04.1_amd64.debLinux
Linux kernel for NVIDIA systems (USN-7005-2) linux-image-nvidia-6.8_6.8.0-1013.14~22.04.1_amd64.debLinux
Linux low latency kernel (USN-7008-1) linux-image-6.8.0-44-lowlatency_6.8.0-44.44.1~22.04.1_amd64.debLinux
Linux low latency kernel (USN-7008-1) linux-image-lowlatency-hwe-22.04_6.8.0-44.44.1~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-6.8.0-45-generic_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-generic-hwe-22.04_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-oem-22.04_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-oem-22.04a_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-oem-22.04b_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-oem-22.04c_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-oem-22.04d_6.8.0-45.45~22.04.1_amd64.debLinux
Linux hardware enablement (HWE) kernel (USN-7029-1) linux-image-virtual-hwe-22.04_6.8.0-45.45~22.04.1_amd64.debLinux
SUSE-SU-2024:3383-1(Legacy Module 15-SP6 ) reiserfs-kmp-default-debuginfo-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Legacy Module 15-SP6 ) reiserfs-kmp-default-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Development Tools Module 15-SP6 ) kernel-syms-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Development Tools Module 15-SP6 ) kernel-source-6.4.0-150600.23.22.1.noarch.rpmLinux
SUSE-SU-2024:3383-1(Development Tools Module 15-SP6 ) kernel-obs-build-debugsource-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Development Tools Module 15-SP6 ) kernel-obs-build-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-macros-6.4.0-150600.23.22.1.noarch.rpmLinux
SUSE-SU-2024:3383-1(Development Tools Module 15-SP6 ) kernel-docs-6.4.0-150600.23.22.1.noarch.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-devel-6.4.0-150600.23.22.1.noarch.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-devel-debuginfo-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-devel-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-debugsource-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-debuginfo-6.4.0-150600.23.22.1.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-base-6.4.0-150600.23.22.1.150600.12.8.3.x86_64.rpmLinux
SUSE-SU-2024:3383-1(Basesystem Module 15-SP6 ) kernel-default-6.4.0-150600.23.22.1.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234