In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in cachefilesondemandget_fd()
We got the following issue in a fuzz test of randomly issuing the restore command:
================================================================== BUG: KASAN: slab-use-after-free in cachefilesondemanddaemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962
CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasanreport+0x94/0xc0 cachefilesondemanddaemonread+0x609/0xab0 vfsread+0x169/0xb50 ksysread+0xf5/0x1e0
Allocated by task 626: _kmalloc+0x1df/0x4b0 cachefilesondemandsendreq+0x24d/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestatemachine+0x43c/0x1230 [...]
Freed by task 626: kfree+0xf1/0x2c0 cachefilesondemandsendreq+0x568/0x690 cachefilescreatetmpfile+0x249/0xb30 cachefilescreatefile+0x6f/0x140 cachefileslookupobject+0x29c/0xa60 cachefileslookupcookie+0x37d/0xca0 fscachecookiestate_machine+0x43c/0x1230
Following is the process that triggers the issue:
cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQ_A->done)
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
cachefiles_ondemand_get_fd
copy_to_user(_buffer, msg, n)
process_open_req(REQ_A)
------ restore ------
cachefiles_ondemand_restore
xas_for_each(&xas, req, ULONG_MAX)
xas_set_mark(&xas, CACHEFILES_REQ_NEW);
cachefiles_daemon_read
cachefiles_ondemand_daemon_read
REQ_A = cachefiles_ondemand_select_req
write(devfd, ("copen %u,%llu", msg->msg_id, size));
cachefiles_ondemand_copen
xa_erase(&cache->reqs, id)
complete(&REQ_A->done)
kfree(REQA) cachefilesondemandgetfd(REQA) fd = getunusedfdflags file = anoninodegetfile fdinstall(fd, file) load = (void *)REQA->msg.data; load->fd = fd; // load UAF !!!
This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over.
Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.