In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefilesondemandget_fd()

We got the following issue in a fuzz test of randomly issuing the restore command:

================================================================== BUG: KASAN: slab-use-after-free in cachefilesondemanddaemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962

CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasanreport+0x94/0xc0 cachefilesondemanddaemonread+0x609/0xab0 vfsread+0x169/0xb50 ksysread+0xf5/0x1e0

Allocated by task 626: _kmalloc+0x1df/0x4b0 cachefilesondemandsendreq+0x24d/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestatemachine+0x43c/0x1230 [...]

Freed by task 626: kfree+0xf1/0x2c0 cachefilesondemandsendreq+0x568/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestate_machine+0x43c/0x1230

[...]

Following is the process that triggers the issue:

mount | daemonthread1 | daemonthread2

cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQ_A->done)

        cachefiles_daemon_read
         cachefiles_ondemand_daemon_read
          REQ_A = cachefiles_ondemand_select_req
          cachefiles_ondemand_get_fd
          copy_to_user(_buffer, msg, n)
        process_open_req(REQ_A)
                              ------ restore ------
                              cachefiles_ondemand_restore
                              xas_for_each(&xas, req, ULONG_MAX)
                               xas_set_mark(&xas, CACHEFILES_REQ_NEW);

                              cachefiles_daemon_read
                               cachefiles_ondemand_daemon_read
                                REQ_A = cachefiles_ondemand_select_req

         write(devfd, ("copen %u,%llu", msg->msg_id, size));
         cachefiles_ondemand_copen
          xa_erase(&cache->reqs, id)
          complete(&REQ_A->done)

kfree(REQA) cachefilesondemandgetfd(REQA) fd = getunusedfdflags file = anoninodegetfile fdinstall(fd, file) load = (void *)REQA->msg.data; load->fd = fd; // load UAF !!!

This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over.

Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.