CVE-2024-39510

12.07.2024, 13:15

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60
Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963

CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564
Call Trace:
 kasan_report+0x93/0xc0
 cachefiles_ondemand_daemon_read+0xb41/0xb60
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 116:
 kmem_cache_alloc+0x140/0x3a0
 cachefiles_lookup_cookie+0x140/0xcd0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 792:
 kmem_cache_free+0xfe/0x390
 cachefiles_put_object+0x241/0x480
 fscache_cookie_state_machine+0x5c8/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
cachefiles_withdraw_cookie
 cachefiles_ondemand_clean_object(object)
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              msg->object_id = req->object->ondemand->ondemand_id
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW)

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req
              copy_to_user(_buffer, msg, n)
               xa_erase(&cache->reqs, id)
               complete(&REQ_A->done)
              ------ close(fd) ------
              cachefiles_ondemand_fd_release
               cachefiles_put_object
 cachefiles_put_object
  kmem_cache_free(cachefiles_object_jar, object)
                                    REQ_A->object->ondemand->ondemand_id
                                     // object UAF !!!

When we see the request within xa_lock, req->object must not have been
freed yet, so grab the reference count of object before xa_unlock to
avoid the above issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Vendor	Product	Version
linux	linux_kernel	6.8 ≤ 𝑥 < 6.9.6
linux	linux_kernel	6.10:rc1
linux	linux_kernel	6.10:rc2
linux	linux_kernel	6.10:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm	6.1.137-1 fixed
bookworm (security)	6.1.140-1 fixed
trixie	6.12.27-1 fixed
sid	6.12.30-1 fixed

linux-6.1

bullseye (security)

6.1.137-1~deb11u1

fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	not-affected
noble	Fixed 6.8.0-44.44 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws

oracular	not-affected
noble	Fixed 6.8.0-1015.16 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-1015.16~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	not-affected
trusty	dne

linux-azure

oracular	not-affected
noble	Fixed 6.8.0-1014.16 released
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-1014.16~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-fde

oracular	dne
noble	dne
jammy	not-affected
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-gcp

oracular	not-affected
noble	Fixed 6.8.0-1014.16 released
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	dne

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-1014.16~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-gke

oracular	dne
noble	Fixed 6.8.0-1010.13 released
jammy	not-affected
focal	ignored
bionic	dne
xenial	ignored
trusty	dne

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gkeop

oracular	dne
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected
trusty	dne

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-45.45~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-ibm

oracular	dne
noble	Fixed 6.8.0-1012.12 released
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-intel

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-kvm

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-laptop

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency

oracular	not-affected
noble	Fixed 6.8.0-44.44.1 released
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-44.44.1~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	not-affected

linux-nvidia

oracular	dne
noble	Fixed 6.8.0-1013.14 released
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-1013.14~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

oracular	dne
noble	Fixed 6.8.0-1013.14.1 released
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.11

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.8

oracular	dne
noble	Fixed 6.8.0-1012.12 released
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oracle

oracular	not-affected
noble	Fixed 6.8.0-1012.12 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-1012.12~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi

oracular	not-affected
noble	Fixed 6.8.0-1011.12 released
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-raspi-realtime

oracular	dne
noble	Fixed 6.8.0-2010.10 released
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	ignored
xenial	ignored
trusty	dne

linux-realtime

oracular	not-affected
noble	Fixed 6.8.1-1008.8 released
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

oracular	not-affected
noble	Fixed 6.8.0-44.44.1 released
jammy	ignored
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	Fixed 6.8.0-44.44.1~22.04.1 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd

https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d

https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e

https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10

https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd

https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d

https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e

https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10