Zizhi Wo

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference problem in the `object->file` within the Linux kernel's cachefiles module, specifically in ondemand-mode. The root cause is the inconsistency between the allocated file descriptor and the lifetime of `object->file`, which is used by the user-space invocation to `anon fd`. The process that triggers the issue involves a series of function calls, including `cachefiles ondemand fd write iter`, `fscache cookie state machine`, `cachefiles withdraw cookie`, and ` cachefiles write`, leading to a NULL pointer dereference when `object->file` is accessed after being set to NULL. **Recommendations** To resolve this issue, add an additional reference count to the `object->file` before write or llseek operations, and decrement the reference count after these operations are completed. This ensures that `object->file` remains valid and accessible throughout the process, preventing the NULL pointer dereference. Note: Since the affected versions are not explicitly specified, it is crucial to apply this fix to all versions of the Linux kernel that are potentially vulnerable to this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.43 **Description** The issue arises when the `copen` function is maliciously called in user mode, potentially deleting a request corresponding to a random id before it has been read. If the object is set to reopen, the open request will be done with the still reopen state, causing the request to be skipped in the `select req` function. As a result, the read request is never completed and blocks other processes. This can occur when the `ondemand id` is less than 0. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.43 or later. As a temporary workaround, consider disabling the `copen` function until a patch is available. Restrict access to the `cachefiles` module to minimize the risk of exploitation. Avoid using the `ondemand id` parameter in the affected kernel functions until the issue is resolved.