CVE-2024-41057

{"id": "CVE-2024-41057", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-07-29T15:15:13.773", "references": [{"url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() Recibimos el siguiente problema en nuestra prueba de estr\u00e9s de inyecci\u00f3n de fallos: ============ ==================================================== ==== ERROR: KASAN: slab-use-after-free en cachefiles_withdraw_cookie+0x4d9/0x600 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888118efc000 por tarea kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 No contaminado 6.8.0-dirty #566 Seguimiento de llamadas: kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 Process_one_work+0x7fa/0x1800 [...] Asignado por la tarea 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 Process_one_work+0x7fa/0x1800 [...] Liberado por la tarea 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x92 0 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================ ==================================== El siguiente es el proceso que desencadena el problema: p1 | p2 ------------------------------------------------- ----------- fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&amp;fscache_cache-&gt;object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&amp;object-&gt;ref, 1); objeto-&gt;volumen = volumen fscache_count_object(vcookie-&gt;cache); atomic_inc(&amp;fscache_cache-&gt;object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = objeto-&gt;volumen-&gt;cache; // archivos_cach\u00e9_volumen UAF !!! Despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, primero espere a que se completen todas las b\u00fasquedas de cookies y luego espere a que fscache_cache-&gt;object_count == 0 para evitar que la cookie salga despu\u00e9s de que se haya liberado el volumen y desencadene el problema anterior. Por lo tanto, llame a fscache_withdraw_volume() antes de llamar a cachefiles_withdraw_objects(). De esta manera, despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, solo ocurrir\u00e1n los dos casos siguientes: 1) fscache_begin_lookup falla en fscache_begin_volume_access(). 2) fscache_withdraw_volume() garantizar\u00e1 que fscache_count_object() se haya ejecutado antes de llamar a fscache_wait_for_objects()."}], "lastModified": "2024-08-22T13:38:03.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB356B3F-4040-49B4-8BB9-E2643A2E9B13", "versionEndExcluding": "6.1.101", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "972274A2-D688-4C37-BE42-689B58B4C225", "versionEndExcluding": "6.6.42", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01E300B3-8B39-4A2D-8B03-4631433D3915", "versionEndExcluding": "6.9.11", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}