Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-40237

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/12/2025
Last modified:
04/12/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/notify: call exportfs_encode_fid with s_umount<br /> <br /> Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while<br /> the overlayfs is being unmounted, can lead to dereferencing NULL ptr.<br /> <br /> This issue was found by syzkaller.<br /> <br /> Race Condition Diagram:<br /> <br /> Thread 1 Thread 2<br /> -------- --------<br /> <br /> generic_shutdown_super()<br /> shrink_dcache_for_umount<br /> sb-&gt;s_root = NULL<br /> <br /> |<br /> | vfs_read()<br /> | inotify_fdinfo()<br /> | * inode get from mark *<br /> | show_mark_fhandle(m, inode)<br /> | exportfs_encode_fid(inode, ..)<br /> | ovl_encode_fh(inode, ..)<br /> | ovl_check_encode_origin(inode)<br /> | * deref i_sb-&gt;s_root *<br /> |<br /> |<br /> v<br /> fsnotify_sb_delete(sb)<br /> <br /> Which then leads to:<br /> <br /> [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI<br /> [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)<br /> <br /> <br /> <br /> [ 32.143353] Call Trace:<br /> [ 32.143732] ovl_encode_fh+0xd5/0x170<br /> [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300<br /> [ 32.144425] show_mark_fhandle+0xbe/0x1f0<br /> [ 32.145805] inotify_fdinfo+0x226/0x2d0<br /> [ 32.146442] inotify_show_fdinfo+0x1c5/0x350<br /> [ 32.147168] seq_show+0x530/0x6f0<br /> [ 32.147449] seq_read_iter+0x503/0x12a0<br /> [ 32.148419] seq_read+0x31f/0x410<br /> [ 32.150714] vfs_read+0x1f0/0x9e0<br /> [ 32.152297] ksys_read+0x125/0x240<br /> <br /> IOW ovl_check_encode_origin derefs inode-&gt;i_sb-&gt;s_root, after it was set<br /> to NULL in the unmount path.<br /> <br /> Fix it by protecting calling exportfs_encode_fid() from<br /> show_mark_fhandle() with s_umount lock.<br /> <br /> This form of fix was suggested by Amir in [1].<br /> <br /> [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/

Impact

References to Advisories, Solutions, and Tools