PT-2024-5424 · Linux+4 · Linux Kernel+4
Baokun Li
+1
·
Published
2024-06-21
·
Updated
2025-02-03
·
CVE-2024-40899
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.8.0-rc7-dirty #542
Description
The issue is caused by a slab-use-after-free vulnerability in the
cachefiles ondemand daemon read function. This occurs when a restore command is issued while the daemon is still alive, resulting in a request being processed multiple times and triggering a use-after-free (UAF) error. The vulnerability can be exploited by issuing a restore command when the daemon is still alive.Technical details about exploitation include:
- The
cachefiles ondemand get fdfunction is vulnerable to a UAF error. - The
REQ Avariable is used to store a request, and itsdonefield is waited on usingwait for completion. - The
cachefiles ondemand daemon readfunction reads data from a file descriptor, and thecopy to userfunction is used to copy data to a user-space buffer. - The
xas for eachfunction is used to iterate over a set of requests, and thexas set markfunction is used to set a mark on a request. - The
cachefiles ondemand restorefunction is used to restore a request, and thexa erasefunction is used to erase a request from a cache.
Recommendations
To resolve the issue, add an additional reference count to
cachefiles req, which is held while waiting and reading, and then released when the waiting and reading is over. As a temporary workaround, consider disabling the cachefiles ondemand daemon read function until a patch is available. Restrict access to the vulnerable cachefiles ondemand get fd function to minimize the risk of exploitation. Avoid using the REQ A variable in the affected API endpoint until the issue is resolved.Exploit
Fix
Use After Free
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu