{"id":"CVE-2024-41057","summary":"cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \u003cTASK\u003e\n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n           p1                |             p2\n------------------------------------------------------------\n                              fscache_begin_lookup\n                               fscache_begin_volume_access\n                                fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n  cachefiles_daemon_unbind\n   cachefiles_withdraw_cache\n    fscache_withdraw_cache\n     fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n    cachefiles_withdraw_objects(cache)\n    fscache_wait_for_objects(fscache)\n      atomic_read(&fscache_cache-\u003eobject_count) == 0\n                              fscache_perform_lookup\n                               cachefiles_lookup_cookie\n                                cachefiles_alloc_object\n                                 refcount_set(&object-\u003eref, 1);\n                                 object-\u003evolume = volume\n                                 fscache_count_object(vcookie-\u003ecache);\n                                  atomic_inc(&fscache_cache-\u003eobject_count)\n    cachefiles_withdraw_volumes\n     cachefiles_withdraw_volume\n      fscache_withdraw_volume\n      __cachefiles_free_volume\n       kfree(cachefiles_volume)\n                              fscache_cookie_state_machine\n                               cachefiles_withdraw_cookie\n                                cache = object-\u003evolume-\u003ecache;\n                                // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache-\u003eobject_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n   been executed before calling fscache_wait_for_objects().","modified":"2026-04-16T04:35:48.310989174Z","published":"2024-07-29T14:57:19.938Z","related":["SUSE-SU-2024:2894-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:0241-1","SUSE-SU-2025:0252-1","SUSE-SU-2025:0253-1","SUSE-SU-2025:0254-1","SUSE-SU-2025:0255-1","SUSE-SU-2025:0260-1","SUSE-SU-2025:0262-1","SUSE-SU-2025:0263-1","SUSE-SU-2025:0265-1","SUSE-SU-2025:0266-1","SUSE-SU-2025:0268-1","SUSE-SU-2025:0269-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41057.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41057.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41057"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35"},{"fixed":"8de253177112a47c9af157d23ae934779188b4e1"},{"fixed":"9e67589a4a7b7e5660b524d1d5fe61242bcbcc11"},{"fixed":"ef81340401e8a371d6b17f69e76d861920972cfe"},{"fixed":"5d8f805789072ea7fd39504694b7bd17e5f751c4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41057.json"}}],"schema_version":"1.7.5"}