CVE-2024-41051
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
29/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
cachefiles: wait for ondemand_object_worker to finish when dropping object<br />
<br />
When queuing ondemand_object_worker() to re-open the object,<br />
cachefiles_object is not pinned. The cachefiles_object may be freed when<br />
the pending read request is completed intentionally and the related<br />
erofs is umounted. If ondemand_object_worker() runs after the object is<br />
freed, it will incur use-after-free problem as shown below.<br />
<br />
process A processs B process C process D<br />
<br />
cachefiles_ondemand_send_req()<br />
// send a read req X<br />
// wait for its completion<br />
<br />
// close ondemand fd<br />
cachefiles_ondemand_fd_release()<br />
// set object as CLOSE<br />
<br />
cachefiles_ondemand_daemon_read()<br />
// set object as REOPENING<br />
queue_work(fscache_wq, &info->ondemand_work)<br />
<br />
// close /dev/cachefiles<br />
cachefiles_daemon_release<br />
cachefiles_flush_reqs<br />
complete(&req->done)<br />
<br />
// read req X is completed<br />
// umount the erofs fs<br />
cachefiles_put_object()<br />
// object will be freed<br />
cachefiles_ondemand_deinit_obj_info()<br />
kmem_cache_free(object)<br />
// both info and object are freed<br />
ondemand_object_worker()<br />
<br />
When dropping an object, it is no longer necessary to reopen the object,<br />
so use cancel_work_sync() to cancel or wait for ondemand_object_worker()<br />
to finish.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.95 (including) | 6.1.100 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.35 (including) | 6.6.41 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.8 (including) | 6.9.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418
- https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed
- https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a
- https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c
- https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418
- https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed
- https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a
- https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html