In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix slab-use-after-free in cachefileswithdrawcookie()
We got the following issue in our fault injection stress test:
================================================================== BUG: KASAN: slab-use-after-free in cachefileswithdrawcookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109
CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasanreport+0x93/0xc0 cachefileswithdrawcookie+0x4d9/0x600 fscachecookiestatemachine+0x5c8/0x1230 fscachecookieworker+0x91/0x1c0 processonework+0x7fa/0x1800 [...]
Allocated by task 117: kmalloctrace+0x1b3/0x3c0 cachefilesacquirevolume+0xf3/0x9c0 fscachecreatevolumework+0x97/0x150 processonework+0x7fa/0x1800 [...]
Freed by task 120301: kfree+0xf1/0x2c0 cachefileswithdrawcache+0x3fa/0x920 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230 do_exit+0x87a/0x29b0
Following is the process that triggers the issue:
fscache_begin_lookup
fscache_begin_volume_access
fscache_cache_is_live(fscache_cache)
cachefilesdaemonrelease cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache fscachewithdrawcache fscachesetcachestate(cache, FSCACHECACHEISWITHDRAWN); cachefileswithdrawobjects(cache) fscachewaitforobjects(fscache) atomicread(&fscachecache->objectcount) == 0 fscacheperformlookup cachefileslookupcookie cachefilesallocobject refcountset(&object->ref, 1); object->volume = volume fscachecountobject(vcookie->cache); atomicinc(&fscachecache->objectcount) cachefileswithdrawvolumes cachefileswithdrawvolume fscachewithdrawvolume _cachefilesfreevolume kfree(cachefilesvolume) fscachecookiestatemachine cachefileswithdrawcookie cache = object->volume->cache; // cachefiles_volume UAF !!!
After setting FSCACHECACHEISWITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscachecache->objectcount == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscachewithdrawvolume() before calling cachefileswithdraw_objects().
This way, after setting FSCACHECACHEISWITHDRAWN, only the following two cases will occur: 1) fscachebeginlookup fails in fscachebeginvolumeaccess(). 2) fscachewithdrawvolume() will ensure that fscachecountobject() has been executed before calling fscachewaitfor_objects().