Linux Kernel Cachefiles Incorrect Dentry Reference Count Vulnerability

A vulnerability in the Linux kernel's cachefiles component has been addressed, concerning an incorrect reference count for directory entries (dentries). The issue arose because the function 'cachefiles_bury_object()' was modified to require two references to the 'rep' dentry. While some callers were updated to provide the necessary references, one caller in 'cachefiles_cull()' was not, leading to a lost reference. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could result in a memory management issue, specifically a reference count imbalance, which can lead to use-after-free conditions or memory leaks.

Reproduction

The vulnerability can be reproduced by calling 'cachefiles_cull()' without the proper reference count for the 'rep' dentry, which will result in a lost reference. This can be done by modifying the cachefiles component to call 'cachefiles_bury_object()' from 'cachefiles_cull()' without using 'start_removing_dentry()', thereby passing only one reference instead of the required two.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree, which corrects the reference count issue by ensuring 'cachefiles_cull()' takes an extra reference before calling 'cachefiles_bury_object()'.