CVE-2024-56549

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: Fix NULL pointer dereference in object-&gt;file<br /> <br /> At present, the object-&gt;file has the NULL pointer dereference problem in<br /> ondemand-mode. The root cause is that the allocated fd and object-&gt;file<br /> lifetime are inconsistent, and the user-space invocation to anon_fd uses<br /> object-&gt;file. Following is the process that triggers the issue:<br /> <br /> [write fd] [umount]<br /> cachefiles_ondemand_fd_write_iter<br /> fscache_cookie_state_machine<br /> cachefiles_withdraw_cookie<br /> if (!file) return -ENOBUFS<br /> cachefiles_clean_up_object<br /> cachefiles_unmark_inode_in_use<br /> fput(object-&gt;file)<br /> object-&gt;file = NULL<br /> // file NULL pointer dereference!<br /> __cachefiles_write(..., file, ...)<br /> <br /> Fix this issue by add an additional reference count to the object-&gt;file<br /> before write/llseek, and decrement after it finished.