CVE-2022-50280
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/09/2025
Last modified:
15/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
pnode: terminate at peers of source<br />
<br />
The propagate_mnt() function handles mount propagation when creating<br />
mounts and propagates the source mount tree @source_mnt to all<br />
applicable nodes of the destination propagation mount tree headed by<br />
@dest_mnt.<br />
<br />
Unfortunately it contains a bug where it fails to terminate at peers of<br />
@source_mnt when looking up copies of the source mount that become<br />
masters for copies of the source mount tree mounted on top of slaves in<br />
the destination propagation tree causing a NULL dereference.<br />
<br />
Once the mechanics of the bug are understood it&#39;s easy to trigger.<br />
Because of unprivileged user namespaces it is available to unprivileged<br />
users.<br />
<br />
While fixing this bug we&#39;ve gotten confused multiple times due to<br />
unclear terminology or missing concepts. So let&#39;s start this with some<br />
clarifications:<br />
<br />
* The terms "master" or "peer" denote a shared mount. A shared mount<br />
belongs to a peer group.<br />
<br />
* A peer group is a set of shared mounts that propagate to each other.<br />
They are identified by a peer group id. The peer group id is available<br />
in @shared_mnt->mnt_group_id.<br />
Shared mounts within the same peer group have the same peer group id.<br />
The peers in a peer group can be reached via @shared_mnt->mnt_share.<br />
<br />
* The terms "slave mount" or "dependent mount" denote a mount that<br />
receives propagation from a peer in a peer group. IOW, shared mounts<br />
may have slave mounts and slave mounts have shared mounts as their<br />
master. Slave mounts of a given peer in a peer group are listed on<br />
that peers slave list available at @shared_mnt->mnt_slave_list.<br />
<br />
* The term "master mount" denotes a mount in a peer group. IOW, it<br />
denotes a shared mount or a peer mount in a peer group. The term<br />
"master mount" - or "master" for short - is mostly used when talking<br />
in the context of slave mounts that receive propagation from a master<br />
mount. A master mount of a slave identifies the closest peer group a<br />
slave mount receives propagation from. The master mount of a slave can<br />
be identified via @slave_mount->mnt_master. Different slaves may point<br />
to different masters in the same peer group.<br />
<br />
* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.<br />
Non-empty ->mnt_slave_lists of peers don&#39;t intersect. Consequently, to<br />
ensure all slave mounts of a peer group are visited the<br />
->mnt_slave_lists of all peers in a peer group have to be walked.<br />
<br />
* Slave mounts point to a peer in the closest peer group they receive<br />
propagation from via @slave_mnt->mnt_master (see above). Together with<br />
these peers they form a propagation group (see below). The closest<br />
peer group can thus be identified through the peer group id<br />
@slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave<br />
mount receives propagation from.<br />
<br />
* A shared-slave mount is a slave mount to a peer group pg1 while also<br />
a peer in another peer group pg2. IOW, a peer group may receive<br />
propagation from another peer group.<br />
<br />
If a peer group pg1 is a slave to another peer group pg2 then all<br />
peers in peer group pg1 point to the same peer in peer group pg2 via<br />
->mnt_master. IOW, all peers in peer group pg1 appear on the same<br />
->mnt_slave_list. IOW, they cannot be slaves to different peer groups.<br />
<br />
* A pure slave mount is a slave mount that is a slave to a peer group<br />
but is not a peer in another peer group.<br />
<br />
* A propagation group denotes the set of mounts consisting of a single<br />
peer group pg1 and all slave mounts and shared-slave mounts that point<br />
to a peer in that peer group via ->mnt_master. IOW, all slave mounts<br />
such that @slave_mnt->mnt_master->mnt_group_id is equal to<br />
@shared_mnt->mnt_group_id.<br />
<br />
The concept of a propagation group makes it easier to talk about a<br />
single propagation level in a propagation tree.<br />
<br />
For example, in propagate_mnt() the immediate peers of @dest_mnt and<br />
all slaves of @dest_mnt&#39;s peer group form a propagation group pr<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/11933cf1d91d57da9e5c53822a540bbdc2656c16
- https://git.kernel.org/stable/c/2dae4211b579ce98985876a73a78466e285238ff
- https://git.kernel.org/stable/c/784a4f995ee24460aa72e00b085612fad57ebce5
- https://git.kernel.org/stable/c/7f57df69de7f05302fad584eb8e3f34de39e0311
- https://git.kernel.org/stable/c/b591b2919d018ef91b4a9571edca94105bcad3df
- https://git.kernel.org/stable/c/c24cc476acd8bccb5af54849aac5e779d8223bf5
- https://git.kernel.org/stable/c/cad0d17fb2b0540180ab59e2cd48ad348cc1ee4c
- https://git.kernel.org/stable/c/cc997490be65da0af8c75a6244fc80bb66c53ce0
- https://git.kernel.org/stable/c/e7c9f10c44a8919cd8bbd51b228c84d0caf7d518