CVE-2024-38626

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: clear FR_SENT when re-adding requests into pending list<br /> <br /> The following warning was reported by lee bruce:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300<br /> fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300<br /> Modules linked in:<br /> CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300<br /> ......<br /> Call Trace:<br /> <br /> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334<br /> fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367<br /> call_read_iter include/linux/fs.h:2104 [inline]<br /> new_sync_read fs/read_write.c:395 [inline]<br /> vfs_read+0x85b/0xba0 fs/read_write.c:476<br /> ksys_read+0x12f/0x260 fs/read_write.c:619<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ......<br /> <br /> <br /> The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write()<br /> syscall in the reproducer program and it happens as follows:<br /> <br /> (1) calls fuse_dev_read() to read the INIT request<br /> The read succeeds. During the read, bit FR_SENT will be set on the<br /> request.<br /> (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify<br /> The resend notify will resend all processing requests, so the INIT<br /> request is moved from processing list to pending list again.<br /> (3) calls fuse_dev_read() with an invalid output address<br /> fuse_dev_read() will try to copy the same INIT request to the output<br /> address, but it will fail due to the invalid address, so the INIT<br /> request is ended and triggers the warning in fuse_request_end().<br /> <br /> Fix it by clearing FR_SENT when re-adding requests into pending list.