{
  "threat_severity" : "Moderate",
  "public_date" : "2024-09-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: fs/netfs/fscache_cookie: add missing \"n_accesses\" check",
    "id" : "2309863",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2309863"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nfs/netfs/fscache_cookie: add missing \"n_accesses\" check\nThis fixes a NULL pointer dereference bug due to a data race which\nlooks like this:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] SMP PTI\nCPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43\nHardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018\nWorkqueue: events_unbound netfs_rreq_write_to_cache_work\nRIP: 0010:cachefiles_prepare_write+0x30/0xa0\nCode: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10\nRSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286\nRAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000\nRDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438\nRBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001\nR10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68\nR13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00\nFS:  0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? __die+0x1f/0x70\n? page_fault_oops+0x15d/0x440\n? search_module_extables+0xe/0x40\n? fixup_exception+0x22/0x2f0\n? exc_page_fault+0x5f/0x100\n? asm_exc_page_fault+0x22/0x30\n? cachefiles_prepare_write+0x30/0xa0\nnetfs_rreq_write_to_cache_work+0x135/0x2e0\nprocess_one_work+0x137/0x2c0\nworker_thread+0x2e9/0x400\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcc/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x30/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n</TASK>\nModules linked in:\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nThis happened because fscache_cookie_state_machine() was slow and was\nstill running while another process invoked fscache_unuse_cookie();\nthis led to a fscache_cookie_lru_do_one() call, setting the\nFSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by\nfscache_cookie_state_machine(), withdrawing the cookie via\ncachefiles_withdraw_cookie(), clearing cookie->cache_priv.\nAt the same time, yet another process invoked\ncachefiles_prepare_write(), which found a NULL pointer in this code\nline:\nstruct cachefiles_object *object = cachefiles_cres_object(cres);\nThe next line crashes, obviously:\nstruct cachefiles_cache *cache = object->volume->cache;\nDuring cachefiles_prepare_write(), the \"n_accesses\" counter is\nnon-zero (via fscache_begin_operation()).  The cookie must not be\nwithdrawn until it drops to zero.\nThe counter is checked by fscache_cookie_state_machine() before\nswitching to FSCACHE_COOKIE_STATE_RELINQUISHING and\nFSCACHE_COOKIE_STATE_WITHDRAWING (in \"case\nFSCACHE_COOKIE_STATE_FAILED\"), but not for\nFSCACHE_COOKIE_STATE_LRU_DISCARDING (\"case\nFSCACHE_COOKIE_STATE_ACTIVE\").\nThis patch adds the missing check.  With a non-zero access counter,\nthe function returns and the next fscache_end_cookie_access() call\nwill queue another fscache_cookie_state_machine() call to handle the\nstill-pending FSCACHE_COOKIE_DO_LRU_DISCARD.", "A race condition vulnerability was found in the Linux kernel. A race condition in the `fscache_cookie` subsystem leads to a NULL pointer dereference. The issue occurred when multiple processes accessed a cached file while it was being withdrawn, causing the cache's metadata to clear prematurely." ],
  "statement" : "This issue is classified as Moderate severity rather than Important because, while it leads to a NULL pointer dereference and a subsequent kernel crash, it requires specific conditions to trigger. The vulnerability depends on a race condition between multiple processes accessing the same cached file, which is not easily exploitable in most environments. Additionally, it does not directly enable privilege escalation, remote code execution, or data corruption.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-45000\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45000\nhttps://lore.kernel.org/linux-cve-announce/2024090449-CVE-2024-45000-fd6f@gregkh/T" ],
  "name" : "CVE-2024-45000",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}