fkie_cve-2025-40072
Vulnerability from fkie_nvd
Published
2025-10-28 12:15
Modified
2025-10-30 15:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing The function do_fanotify_mark() does not validate if mnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns. This causes a NULL pointer dereference in do_fanotify_mark() if the path is not a mount namespace object. Fix this by checking mnt_ns_from_dentry()'s return value before dereferencing it. Before the patch $ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 Killed int main(void){ int ffd; ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0); if(ffd < 0){ perror("fanotify_init"); exit(EXIT_FAILURE); } printf("Fanotify fd: %d\n",ffd); if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS, FAN_MNT_ATTACH, AT_FDCWD, "A") < 0){ perror("fanotify_mark"); exit(EXIT_FAILURE); } return 0; } After the patch $ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 fanotify_mark: Invalid argument [ 25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038 [ 25.695006] #PF: supervisor read access in kernel mode [ 25.695012] #PF: error_code(0x0000) - not-present page [ 25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0 [ 25.695025] Oops: Oops: 0000 [#1] SMP NOPTI [ 25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not tainted 6.17.0-rc4 #1 PREEMPT(lazy) [ 25.695040] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950 [ 25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54 24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28 85 c9 [ 25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203 [ 25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220 [ 25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180 [ 25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000 [ 25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7 [ 25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0 [ 25.695154] FS: 00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000) knlGS:0000000000000000 [ 25.695162] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0 [ 25.695201] Call Trace: [ 25.695209] <TASK> [ 25.695215] __x64_sys_fanotify_mark+0x1f/0x30 [ 25.695222] do_syscall_64+0x82/0x2c0 ...
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/62e59ffe8787b5550ccff70c30b6f6be6a3ac3dd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/73ce2a774ad6497cbd48dc4f8a5d699bc417f3fa
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing\n\nThe function do_fanotify_mark() does not validate if\nmnt_ns_from_dentry() returns NULL before dereferencing mntns-\u003euser_ns.\nThis causes a NULL pointer dereference in do_fanotify_mark() if the\npath is not a mount namespace object.\n\nFix this by checking mnt_ns_from_dentry()\u0027s return value before\ndereferencing it.\n\nBefore the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nKilled\n\nint main(void){\n    int ffd;\n    ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0);\n    if(ffd \u003c 0){\n        perror(\"fanotify_init\");\n        exit(EXIT_FAILURE);\n    }\n\n    printf(\"Fanotify fd: %d\\n\",ffd);\n\n    if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS,\nFAN_MNT_ATTACH, AT_FDCWD, \"A\") \u003c 0){\n        perror(\"fanotify_mark\");\n        exit(EXIT_FAILURE);\n    }\n\nreturn 0;\n}\n\nAfter the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nfanotify_mark: Invalid argument\n\n[   25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038\n[   25.695006] #PF: supervisor read access in kernel mode\n[   25.695012] #PF: error_code(0x0000) - not-present page\n[   25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0\n[   25.695025] Oops: Oops: 0000 [#1] SMP NOPTI\n[   25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not\ntainted 6.17.0-rc4 #1 PREEMPT(lazy)\n[   25.695040] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[   25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950\n[   25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54\n24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b\n5c 24 10 \u003c48\u003e 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28\n85 c9\n[   25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203\n[   25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220\n[   25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180\n[   25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000\n[   25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7\n[   25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0\n[   25.695154] FS:  00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)\nknlGS:0000000000000000\n[   25.695162] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0\n[   25.695201] Call Trace:\n[   25.695209]  \u003cTASK\u003e\n[   25.695215]  __x64_sys_fanotify_mark+0x1f/0x30\n[   25.695222]  do_syscall_64+0x82/0x2c0\n..."
    }
  ],
  "id": "CVE-2025-40072",
  "lastModified": "2025-10-30T15:05:32.197",
  "metrics": {},
  "published": "2025-10-28T12:15:41.723",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/62e59ffe8787b5550ccff70c30b6f6be6a3ac3dd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/73ce2a774ad6497cbd48dc4f8a5d699bc417f3fa"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.