In the Linux kernel, the following vulnerability has been...

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: wait for ondemand_object_worker to finish when dropping object

When queuing ondemand_object_worker() to re-open the object,
cachefiles_object is not pinned. The cachefiles_object may be freed when
the pending read request is completed intentionally and the related
erofs is umounted. If ondemand_object_worker() runs after the object is
freed, it will incur use-after-free problem as shown below.

process A processs B process C process D

cachefiles_ondemand_send_req()
// send a read req X
// wait for its completion

       // close ondemand fd
       cachefiles_ondemand_fd_release()
       // set object as CLOSE

                   cachefiles_ondemand_daemon_read()
                   // set object as REOPENING
                   queue_work(fscache_wq, &info->ondemand_work)

                            // close /dev/cachefiles
                            cachefiles_daemon_release
                            cachefiles_flush_reqs
                            complete(&req->done)

// read req X is completed
// umount the erofs fs
cachefiles_put_object()
// object will be freed
cachefiles_ondemand_deinit_obj_info()
kmem_cache_free(object)
// both info and object are freed
ondemand_object_worker()

When dropping an object, it is no longer necessary to reopen the object,
so use cancel_work_sync() to cancel or wait for ondemand_object_worker()
to finish.

References

Published by the National Vulnerability Database Jul 29, 2024

Published to the GitHub Advisory Database Jul 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code