fkie_cve-2024-40899
Vulnerability from fkie_nvd
Published
2024-07-12 13:15
Modified
2024-11-21 09:31
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, ("copen %u,%llu", msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fcPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fcPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 6.10
linux linux_kernel 6.10
linux linux_kernel 6.10


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A16B675-D12F-49F9-AB96-23E6074FF336",
              "versionEndExcluding": "6.9.6",
              "versionStartIncluding": "6.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n     mount  |   daemon_thread1    |    daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n  cachefiles_ondemand_send_req\n   REQ_A = kzalloc(sizeof(*req) + data_len)\n   wait_for_completion(\u0026REQ_A-\u003edone)\n\n            cachefiles_daemon_read\n             cachefiles_ondemand_daemon_read\n              REQ_A = cachefiles_ondemand_select_req\n              cachefiles_ondemand_get_fd\n              copy_to_user(_buffer, msg, n)\n            process_open_req(REQ_A)\n                                  ------ restore ------\n                                  cachefiles_ondemand_restore\n                                  xas_for_each(\u0026xas, req, ULONG_MAX)\n                                   xas_set_mark(\u0026xas, CACHEFILES_REQ_NEW);\n\n                                  cachefiles_daemon_read\n                                   cachefiles_ondemand_daemon_read\n                                    REQ_A = cachefiles_ondemand_select_req\n\n             write(devfd, (\"copen %u,%llu\", msg-\u003emsg_id, size));\n             cachefiles_ondemand_copen\n              xa_erase(\u0026cache-\u003ereqs, id)\n              complete(\u0026REQ_A-\u003edone)\n   kfree(REQ_A)\n                                    cachefiles_ondemand_get_fd(REQ_A)\n                                     fd = get_unused_fd_flags\n                                     file = anon_inode_getfile\n                                     fd_install(fd, file)\n                                     load = (void *)REQ_A-\u003emsg.data;\n                                     load-\u003efd = fd;\n                                     // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() Obtuvimos el siguiente problema en una prueba de ejecuci\u00f3n aleatoria del comando de restauraci\u00f3n: ======== ==================================================== ======== ERROR: KASAN: slab-use-after-free en cachefiles_ondemand_daemon_read+0x609/0xab0 Escritura de tama\u00f1o 4 en la direcci\u00f3n ffff888109164a80 por tarea ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand -04-dae No contaminado 6.8.0-rc7-dirty #542 Seguimiento de llamadas: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Asignado por tarea 626: /0x4b0 archivos de cach\u00e9_ondemand_send_req+ 0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Liberado por tarea 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+ 0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ======================= ============================================= El siguiente es el proceso que desencadena el problema: montar | daemon_thread1 | daemon_thread2 ------------------------------------------------- ----------- cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(\u0026amp;REQ_A-\u0026gt;done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd usuario(_buffer, msg, n) proceso_open_req(REQ_A) ------ restaurar ------ cachefiles_ondemand_restore xas_for_each(\u0026amp;xas, req, ULONG_MAX) xas_set_mark(\u0026amp;xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, (\"copen %u,%llu\", msg-\u0026gt;msg_id, tama\u00f1o)); cachefiles_ondemand_copen xa_erase(\u0026amp;cache-\u0026gt;reqs, id) complete(\u0026amp;REQ_A-\u0026gt;done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A-\u0026gt;msg.data; cargar-\u0026gt;fd = fd; // carga UAF !!! Este problema se debe a la emisi\u00f3n de un comando de restauraci\u00f3n cuando el daemon todav\u00eda est\u00e1 activo, lo que da como resultado que una solicitud se procese varias veces y, por lo tanto, se active una UAF. Entonces, para evitar este problema, agregue un recuento de referencia adicional a cachefiles_req, que se mantiene mientras se espera y se lee, y luego se libera cuando finaliza la espera y la lectura. Tenga en cuenta que, dado que solo hay un recuento de referencias para esperar, debemos evitar que la misma solicitud se complete varias veces, por lo que solo podemos completar la solicitud si se elimina con \u00e9xito del xarray."
    }
  ],
  "id": "CVE-2024-40899",
  "lastModified": "2024-11-21T09:31:48.870",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-12T13:15:13.357",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1d902d9a3aa4f2a8bda698294e34be788be012fc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/99e9c5bd27ddefa0f9db88625bf5e31c1e833d62"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a6de82765e12fb1201ab607f0d3ffe3309b30fc0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de3e26f9e5b76fc628077578c001c4a51bf54d06"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.