Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22070

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
16/04/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/9p: fix NULL pointer dereference on mkdir<br /> <br /> When a 9p tree was mounted with option &amp;#39;posixacl&amp;#39;, parent directory had a<br /> default ACL set for its subdirectories, e.g.:<br /> <br /> setfacl -m default:group:simpsons:rwx parentdir<br /> <br /> then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in<br /> function v9fs_vfs_mkdir_dotl() sets the passed &amp;#39;fid&amp;#39; pointer to NULL<br /> (since dafbe689736) even though the subsequent v9fs_set_create_acl() call<br /> expects a valid non-NULL &amp;#39;fid&amp;#39; pointer:<br /> <br /> [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> [ 37.322338] Call Trace:<br /> [ 37.323043] <br /> [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)<br /> [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)<br /> [ 37.325532] ? search_module_extables (kernel/module/main.c:3733)<br /> [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet<br /> [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)<br /> [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)<br /> [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)<br /> [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet<br /> [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p<br /> [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p<br /> [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p<br /> [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p<br /> [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p<br /> [ 37.338590] vfs_mkdir (fs/namei.c:4313)<br /> [ 37.339535] do_mkdirat (fs/namei.c:4336)<br /> [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354)<br /> [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> Fix this by simply swapping the sequence of these two calls in<br /> v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before<br /> v9fs_fid_add().

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.0 (including) 6.12.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools