CVE-2024-38626

Name of the Vulnerable Software and Affected Versions Linux kernel version 6.9.0-rc7

Description The issue arises from the FUSE NOTIFY RESEND notify sent by the write() syscall in a reproducer program. It occurs in three steps: (1) fuse dev read() is called to read the INIT request, which succeeds and sets the FR SENT bit on the request. (2) fuse dev write() sends a USE NOTIFY RESEND notify, causing all processing requests to be resent, and the INIT request is moved back to the pending list. (3) fuse dev read() is called again with an invalid output address, attempting to copy the INIT request to this address, which fails due to the invalid address and triggers a warning in fuse request end(). The warning is reported by lee bruce and is associated with the Linux kernel version 6.9.0-rc7.

Recommendations To resolve the issue, clear the FR SENT bit when re-adding requests into the pending list. As a temporary workaround, consider restricting the use of fuse dev read() and fuse dev write() functions until a patch is available. Avoid using the write() syscall with the FUSE NOTIFY RESEND notify in the reproducer program until the issue is resolved.