1227760 – (CVE-2024-40900) VUL-0: CVE-2024-40900: kernel: cachefiles: remove requests from xarray during flushing requests

Bug 1227760 (CVE-2024-40900) - VUL-0: CVE-2024-40900: kernel: cachefiles: remove requests from xarray during flushing requests

Summary: VUL-0: CVE-2024-40900: kernel: cachefiles: remove requests from xarray during...

Status:	RESOLVED FIXED

Alias:	CVE-2024-40900

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/413827/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-15 08:25 UTC by SMASH SMASH
Modified:	2024-07-16 11:52 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-07-15 08:25:01 UTC

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: remove requests from xarray during flushing requests

Even with CACHEFILES_DEAD set, we can still read the requests, so in the
following concurrency the request may be used after it has been freed:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
 cachefiles_ondemand_init_object
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)
            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
                                  // close dev fd
                                  cachefiles_flush_reqs
                                   complete(&REQ_A->done)
   kfree(REQ_A)
              xa_lock(&cache->reqs);
              cachefiles_ondemand_select_req
                req->msg.opcode != CACHEFILES_OP_READ
                // req use-after-free !!!
              xa_unlock(&cache->reqs);
                                   xa_destroy(&cache->reqs)

Hence remove requests from cache->reqs when flushing them to avoid
accessing freed requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40900
https://www.cve.org/CVERecord?id=CVE-2024-40900
https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013
https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19
https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598
https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-40900.mbox

Comment 2 Andrea Mattiazzo 2024-07-16 11:52:05 UTC

All done, closing.