CVE-2024-41050
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-41050
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41050.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-41050
- Downstream
- Related
- Published
- 2024-07-29T14:32:06Z
- Modified
- 2025-10-22T00:43:39.906981Z
- Summary
- cachefiles: cyclic allocation of msg_id to avoid reuse
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: cyclic allocation of msg_id to avoid reuse
Reusing the msg_id after a maliciously completed reopen request may cause a read request to remain unprocessed and result in a hung, as shown below:
t1 | t2 | t3
cachefilesondemandselectreq cachefilesondemandobjectisclose(A) cachefilesondemandsetobjectreopening(A) queuework(fscacheobjectwq, &info->work) ondemandobjectworker cachefilesondemandinitobject(A) cachefilesondemandsendreq(OPEN) // get msgid 6 waitforcompletion(&reqA->done) cachefilesondemanddaemonread // read msgid 6 reqA cachefilesondemandgetfd copytouser // Malicious completion msgid 6 copen 6,-1 cachefilesondemandcopen complete(&reqA->done) // will not set the object to close // because ondemand_id && fd is valid.
// ondemand_object_worker() is done // but the object is still reopening. // new open req_B cachefiles_ondemand_init_object(B) cachefiles_ondemand_send_req(OPEN) // reuse msg_id 6processopenreq copen 6,A.size // The expected failed copen was executed successfully
Expect copen to fail, and when it does, it closes fd, which sets the object to close, and then close triggers reopen again. However, due to msg_id reuse resulting in a successful copen, the anonymous fd is not closed until the daemon exits. Therefore read requests waiting for reopen to complete may trigger hung task.
To avoid this issue, allocate the msgid cyclically to avoid reusing the msgid for a very short duration of time.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9
- https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6
- https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17
- https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc8383054506c77b814489c09877b5db83fd4abf2Fixed35710c6c4a1c64478ec1b5e0e81d386c0844dec6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc8383054506c77b814489c09877b5db83fd4abf2Fixedde045a82e1a4e04be62718d3c2981a55150765a0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc8383054506c77b814489c09877b5db83fd4abf2Fixed9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc8383054506c77b814489c09877b5db83fd4abf2Fixed19f4f399091478c95947f6bd7ad61622300c30d9