CVE-2025-40237 (GCVE-0-2025-40237)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/notify: call exportfs_encode_fid with s_umount
Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while
the overlayfs is being unmounted, can lead to dereferencing NULL ptr.
This issue was found by syzkaller.
Race Condition Diagram:
Thread 1 Thread 2
-------- --------
generic_shutdown_super()
shrink_dcache_for_umount
sb->s_root = NULL
|
| vfs_read()
| inotify_fdinfo()
| * inode get from mark *
| show_mark_fhandle(m, inode)
| exportfs_encode_fid(inode, ..)
| ovl_encode_fh(inode, ..)
| ovl_check_encode_origin(inode)
| * deref i_sb->s_root *
|
|
v
fsnotify_sb_delete(sb)
Which then leads to:
[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)
<snip registers, unreliable trace>
[ 32.143353] Call Trace:
[ 32.143732] ovl_encode_fh+0xd5/0x170
[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300
[ 32.144425] show_mark_fhandle+0xbe/0x1f0
[ 32.145805] inotify_fdinfo+0x226/0x2d0
[ 32.146442] inotify_show_fdinfo+0x1c5/0x350
[ 32.147168] seq_show+0x530/0x6f0
[ 32.147449] seq_read_iter+0x503/0x12a0
[ 32.148419] seq_read+0x31f/0x410
[ 32.150714] vfs_read+0x1f0/0x9e0
[ 32.152297] ksys_read+0x125/0x240
IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set
to NULL in the unmount path.
Fix it by protecting calling exportfs_encode_fid() from
show_mark_fhandle() with s_umount lock.
This form of fix was suggested by Amir in [1].
[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f0c0ac84de17c37e6e84da65fb920f91dada55ad , < bc1c6b803e14ea2b8f7e33b7164013f666ceb656
(git)
Affected: 3c7c90274ae339e1ad443c9be1c67a20b80b9c76 , < 3f307a9f7a7a2822e38ac451b73e2244e7279496 (git) Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < d1894bc542becb0fda61e7e513b09523cab44030 (git) Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fdinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1c6b803e14ea2b8f7e33b7164013f666ceb656",
"status": "affected",
"version": "f0c0ac84de17c37e6e84da65fb920f91dada55ad",
"versionType": "git"
},
{
"lessThan": "3f307a9f7a7a2822e38ac451b73e2244e7279496",
"status": "affected",
"version": "3c7c90274ae339e1ad443c9be1c67a20b80b9c76",
"versionType": "git"
},
{
"lessThan": "d1894bc542becb0fda61e7e513b09523cab44030",
"status": "affected",
"version": "c45beebfde34aa71afbc48b2c54cdda623515037",
"versionType": "git"
},
{
"lessThan": "a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a",
"status": "affected",
"version": "c45beebfde34aa71afbc48b2c54cdda623515037",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fdinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/notify: call exportfs_encode_fid with s_umount\n\nCalling intotify_show_fdinfo() on fd watching an overlayfs inode, while\nthe overlayfs is being unmounted, can lead to dereferencing NULL ptr.\n\nThis issue was found by syzkaller.\n\nRace Condition Diagram:\n\nThread 1 Thread 2\n-------- --------\n\ngeneric_shutdown_super()\n shrink_dcache_for_umount\n sb-\u003es_root = NULL\n\n |\n | vfs_read()\n | inotify_fdinfo()\n | * inode get from mark *\n | show_mark_fhandle(m, inode)\n | exportfs_encode_fid(inode, ..)\n | ovl_encode_fh(inode, ..)\n | ovl_check_encode_origin(inode)\n | * deref i_sb-\u003es_root *\n |\n |\n v\n fsnotify_sb_delete(sb)\n\nWhich then leads to:\n\n[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n\n\u003csnip registers, unreliable trace\u003e\n\n[ 32.143353] Call Trace:\n[ 32.143732] ovl_encode_fh+0xd5/0x170\n[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300\n[ 32.144425] show_mark_fhandle+0xbe/0x1f0\n[ 32.145805] inotify_fdinfo+0x226/0x2d0\n[ 32.146442] inotify_show_fdinfo+0x1c5/0x350\n[ 32.147168] seq_show+0x530/0x6f0\n[ 32.147449] seq_read_iter+0x503/0x12a0\n[ 32.148419] seq_read+0x31f/0x410\n[ 32.150714] vfs_read+0x1f0/0x9e0\n[ 32.152297] ksys_read+0x125/0x240\n\nIOW ovl_check_encode_origin derefs inode-\u003ei_sb-\u003es_root, after it was set\nto NULL in the unmount path.\n\nFix it by protecting calling exportfs_encode_fid() from\nshow_mark_fhandle() with s_umount lock.\n\nThis form of fix was suggested by Amir in [1].\n\n[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:27.325Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656"
},
{
"url": "https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496"
},
{
"url": "https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030"
},
{
"url": "https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a"
}
],
"title": "fs/notify: call exportfs_encode_fid with s_umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40237",
"datePublished": "2025-12-04T15:31:27.325Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:27.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-40237\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-04T16:16:16.697\",\"lastModified\":\"2025-12-04T17:15:08.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/notify: call exportfs_encode_fid with s_umount\\n\\nCalling intotify_show_fdinfo() on fd watching an overlayfs inode, while\\nthe overlayfs is being unmounted, can lead to dereferencing NULL ptr.\\n\\nThis issue was found by syzkaller.\\n\\nRace Condition Diagram:\\n\\nThread 1 Thread 2\\n-------- --------\\n\\ngeneric_shutdown_super()\\n shrink_dcache_for_umount\\n sb-\u003es_root = NULL\\n\\n |\\n | vfs_read()\\n | inotify_fdinfo()\\n | * inode get from mark *\\n | show_mark_fhandle(m, inode)\\n | exportfs_encode_fid(inode, ..)\\n | ovl_encode_fh(inode, ..)\\n | ovl_check_encode_origin(inode)\\n | * deref i_sb-\u003es_root *\\n |\\n |\\n v\\n fsnotify_sb_delete(sb)\\n\\nWhich then leads to:\\n\\n[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\\n[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\\n[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)\\n\\n\u003csnip registers, unreliable trace\u003e\\n\\n[ 32.143353] Call Trace:\\n[ 32.143732] ovl_encode_fh+0xd5/0x170\\n[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300\\n[ 32.144425] show_mark_fhandle+0xbe/0x1f0\\n[ 32.145805] inotify_fdinfo+0x226/0x2d0\\n[ 32.146442] inotify_show_fdinfo+0x1c5/0x350\\n[ 32.147168] seq_show+0x530/0x6f0\\n[ 32.147449] seq_read_iter+0x503/0x12a0\\n[ 32.148419] seq_read+0x31f/0x410\\n[ 32.150714] vfs_read+0x1f0/0x9e0\\n[ 32.152297] ksys_read+0x125/0x240\\n\\nIOW ovl_check_encode_origin derefs inode-\u003ei_sb-\u003es_root, after it was set\\nto NULL in the unmount path.\\n\\nFix it by protecting calling exportfs_encode_fid() from\\nshow_mark_fhandle() with s_umount lock.\\n\\nThis form of fix was suggested by Amir in [1].\\n\\n[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…