CVE-2025-22070 (GCVE-0-2025-22070)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2025-05-26 05:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix NULL pointer dereference on mkdir When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.: setfacl -m default:group:simpsons:rwx parentdir then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fs_set_create_acl() call expects a valid non-NULL 'fid' pointer: [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] <TASK> [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p [ 37.338590] vfs_mkdir (fs/namei.c:4313) [ 37.339535] do_mkdirat (fs/namei.c:4336) [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by simply swapping the sequence of these two calls in v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before v9fs_fid_add().
Impacted products
Vendor Product Version
Linux Linux Version: dafbe689736f62c696ac64809b17bdc752cfbe76
Version: dafbe689736f62c696ac64809b17bdc752cfbe76
Version: dafbe689736f62c696ac64809b17bdc752cfbe76
Version: dafbe689736f62c696ac64809b17bdc752cfbe76
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/9p/vfs_inode_dotl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8522051c58d68146b93e8a5ba9987e83b3d64e7b",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "2139dea5c53e3bb63ac49a6901c85e525a80ee8a",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "3f61ac7c65bdb26accb52f9db66313597e759821",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/9p/vfs_inode_dotl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix NULL pointer dereference on mkdir\n\nWhen a 9p tree was mounted with option \u0027posixacl\u0027, parent directory had a\ndefault ACL set for its subdirectories, e.g.:\n\n  setfacl -m default:group:simpsons:rwx parentdir\n\nthen creating a subdirectory crashed 9p client, as v9fs_fid_add() call in\nfunction v9fs_vfs_mkdir_dotl() sets the passed \u0027fid\u0027 pointer to NULL\n(since dafbe689736) even though the subsequent v9fs_set_create_acl() call\nexpects a valid non-NULL \u0027fid\u0027 pointer:\n\n  [   37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000\n  ...\n  [   37.322338] Call Trace:\n  [   37.323043]  \u003cTASK\u003e\n  [   37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n  [   37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)\n  [   37.325532] ? search_module_extables (kernel/module/main.c:3733)\n  [   37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)\n  [   37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)\n  [   37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)\n  [   37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p\n  [   37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p\n  [   37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p\n  [   37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p\n  [   37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p\n  [   37.338590] vfs_mkdir (fs/namei.c:4313)\n  [   37.339535] do_mkdirat (fs/namei.c:4336)\n  [   37.340465] __x64_sys_mkdir (fs/namei.c:4354)\n  [   37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n  [   37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by simply swapping the sequence of these two calls in\nv9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before\nv9fs_fid_add()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:48.958Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8522051c58d68146b93e8a5ba9987e83b3d64e7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2139dea5c53e3bb63ac49a6901c85e525a80ee8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f61ac7c65bdb26accb52f9db66313597e759821"
        }
      ],
      "title": "fs/9p: fix NULL pointer dereference on mkdir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22070",
    "datePublished": "2025-04-16T14:12:23.295Z",
    "dateReserved": "2024-12-29T08:45:45.814Z",
    "dateUpdated": "2025-05-26T05:17:48.958Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22070\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:01.193\",\"lastModified\":\"2025-05-06T16:40:30.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/9p: fix NULL pointer dereference on mkdir\\n\\nWhen a 9p tree was mounted with option \u0027posixacl\u0027, parent directory had a\\ndefault ACL set for its subdirectories, e.g.:\\n\\n  setfacl -m default:group:simpsons:rwx parentdir\\n\\nthen creating a subdirectory crashed 9p client, as v9fs_fid_add() call in\\nfunction v9fs_vfs_mkdir_dotl() sets the passed \u0027fid\u0027 pointer to NULL\\n(since dafbe689736) even though the subsequent v9fs_set_create_acl() call\\nexpects a valid non-NULL \u0027fid\u0027 pointer:\\n\\n  [   37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n  ...\\n  [   37.322338] Call Trace:\\n  [   37.323043]  \u003cTASK\u003e\\n  [   37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\\n  [   37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)\\n  [   37.325532] ? search_module_extables (kernel/module/main.c:3733)\\n  [   37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet\\n  [   37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)\\n  [   37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)\\n  [   37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)\\n  [   37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet\\n  [   37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p\\n  [   37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p\\n  [   37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p\\n  [   37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p\\n  [   37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p\\n  [   37.338590] vfs_mkdir (fs/namei.c:4313)\\n  [   37.339535] do_mkdirat (fs/namei.c:4336)\\n  [   37.340465] __x64_sys_mkdir (fs/namei.c:4354)\\n  [   37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\\n  [   37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n\\nFix this by simply swapping the sequence of these two calls in\\nv9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before\\nv9fs_fid_add().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/9p: corregir la desreferencia de puntero NULL en mkdir Cuando se montaba un \u00e1rbol 9p con la opci\u00f3n \u0027posixacl\u0027, el directorio padre ten\u00eda una ACL predeterminada establecida para sus subdirectorios, p. ej.: setfacl -m default:group:simpsons:rwx parentdir luego, la creaci\u00f3n de un subdirectorio hac\u00eda que el cliente 9p se bloqueara, ya que la llamada v9fs_fid_add() en la funci\u00f3n v9fs_vfs_mkdir_dotl() establece el puntero \u0027fid\u0027 pasado en NULL (desde dafbe689736) aunque la llamada v9fs_set_create_acl() posterior espera un puntero \u0027fid\u0027 no NULL v\u00e1lido: [ 37.273191] ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000000 ... [ 37.322338] Rastreo de llamadas: [ 37.323043]  [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) [ 37.329142] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p [ 37.338590] vfs_mkdir (fs/namei.c:4313) [ 37.339535] do_mkdirat (fs/namei.c:4336) [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Solucione esto simplemente intercambiando la secuencia de estas dos llamadas en v9fs_vfs_mkdir_dotl(), es decir, llamando a v9fs_set_create_acl() antes v9fs_fid_add().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0\",\"versionEndExcluding\":\"6.12.23\",\"matchCriteriaId\":\"182A5D52-C727-4186-80D8-2F727FAAA54D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.11\",\"matchCriteriaId\":\"E7E864B0-8C00-4679-BA55-659B4C9C3AD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"FADAE5D8-4808-442C-B218-77B2CE8780A0\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2139dea5c53e3bb63ac49a6901c85e525a80ee8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3f61ac7c65bdb26accb52f9db66313597e759821\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8522051c58d68146b93e8a5ba9987e83b3d64e7b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…