CVE-2024-41050

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: cyclic allocation of msg_id to avoid reuse<br /> <br /> Reusing the msg_id after a maliciously completed reopen request may cause<br /> a read request to remain unprocessed and result in a hung, as shown below:<br /> <br /> t1 | t2 | t3<br /> -------------------------------------------------<br /> cachefiles_ondemand_select_req<br /> cachefiles_ondemand_object_is_close(A)<br /> cachefiles_ondemand_set_object_reopening(A)<br /> queue_work(fscache_object_wq, &amp;info-&gt;work)<br /> ondemand_object_worker<br /> cachefiles_ondemand_init_object(A)<br /> cachefiles_ondemand_send_req(OPEN)<br /> // get msg_id 6<br /> wait_for_completion(&amp;req_A-&gt;done)<br /> cachefiles_ondemand_daemon_read<br /> // read msg_id 6 req_A<br /> cachefiles_ondemand_get_fd<br /> copy_to_user<br /> // Malicious completion msg_id 6<br /> copen 6,-1<br /> cachefiles_ondemand_copen<br /> complete(&amp;req_A-&gt;done)<br /> // will not set the object to close<br /> // because ondemand_id &amp;&amp; fd is valid.<br /> <br /> // ondemand_object_worker() is done<br /> // but the object is still reopening.<br /> <br /> // new open req_B<br /> cachefiles_ondemand_init_object(B)<br /> cachefiles_ondemand_send_req(OPEN)<br /> // reuse msg_id 6<br /> process_open_req<br /> copen 6,A.size<br /> // The expected failed copen was executed successfully<br /> <br /> Expect copen to fail, and when it does, it closes fd, which sets the<br /> object to close, and then close triggers reopen again. However, due to<br /> msg_id reuse resulting in a successful copen, the anonymous fd is not<br /> closed until the daemon exits. Therefore read requests waiting for reopen<br /> to complete may trigger hung task.<br /> <br /> To avoid this issue, allocate the msg_id cyclically to avoid reusing the<br /> msg_id for a very short duration of time.