CVE-2025-22070

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-22070
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22070.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-22070
Downstream
Related
Published
2025-04-16T14:12:23Z
Modified
2025-10-17T23:29:34.344007Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
fs/9p: fix NULL pointer dereference on mkdir
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/9p: fix NULL pointer dereference on mkdir

When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.:

setfacl -m default:group:simpsons:rwx parentdir

then creating a subdirectory crashed 9p client, as v9fsfidadd() call in function v9fsvfsmkdirdotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fssetcreateacl() call expects a valid non-NULL 'fid' pointer:

[ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] <TASK> [ 37.323621] ? _die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? pagefaultoops (arch/x86/mm/fault.c:714) [ 37.325532] ? searchmoduleextables (kernel/module/main.c:3733) [ 37.326742] ? p9clientwalk (net/9p/client.c:1165) 9pnet [ 37.328006] ? searchbpfextables (kernel/bpf/core.c:804) [ 37.329142] ? excpagefault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asmexcpagefault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9clientwalk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fsfidxattrget (fs/9p/xattr.c:30) 9p [ 37.333824] v9fsfidxattrset (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fssetacl (fs/9p/acl.c:276) 9p [ 37.336112] v9fssetcreateacl (fs/9p/acl.c:307) 9p [ 37.337326] v9fsvfsmkdirdotl (fs/9p/vfsinodedotl.c:411) 9p [ 37.338590] vfsmkdir (fs/namei.c:4313) [ 37.339535] domkdirat (fs/namei.c:4336) [ 37.340465] _x64sysmkdir (fs/namei.c:4354) [ 37.341455] dosyscall64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:130)

Fix this by simply swapping the sequence of these two calls in v9fsvfsmkdirdotl(), i.e. calling v9fssetcreateacl() before v9fsfidadd().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dafbe689736f62c696ac64809b17bdc752cfbe76
Fixed
8522051c58d68146b93e8a5ba9987e83b3d64e7b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dafbe689736f62c696ac64809b17bdc752cfbe76
Fixed
2139dea5c53e3bb63ac49a6901c85e525a80ee8a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dafbe689736f62c696ac64809b17bdc752cfbe76
Fixed
6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dafbe689736f62c696ac64809b17bdc752cfbe76
Fixed
3f61ac7c65bdb26accb52f9db66313597e759821

Affected versions

v5.*

v5.19
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2139dea5c53e3bb63ac49a6901c85e525a80ee8a",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c"
        },
        "digest": {
            "line_hashes": [
                "208574868576084052181496281269117645229",
                "103816366781824705389464638001512836884",
                "182014300055628872874730561507611371105",
                "182502823724481213002400231723413816382",
                "38770683462376068329359017136350606949"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-22070-14d10299",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c"
        },
        "digest": {
            "line_hashes": [
                "208574868576084052181496281269117645229",
                "103816366781824705389464638001512836884",
                "182014300055628872874730561507611371105",
                "182502823724481213002400231723413816382",
                "38770683462376068329359017136350606949"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-22070-3d59f3cd",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f61ac7c65bdb26accb52f9db66313597e759821",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c",
            "function": "v9fs_vfs_mkdir_dotl"
        },
        "digest": {
            "function_hash": "26637892151865864759980973076957705405",
            "length": 1454.0
        },
        "id": "CVE-2025-22070-494fec51",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8522051c58d68146b93e8a5ba9987e83b3d64e7b",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c"
        },
        "digest": {
            "line_hashes": [
                "208574868576084052181496281269117645229",
                "103816366781824705389464638001512836884",
                "182014300055628872874730561507611371105",
                "182502823724481213002400231723413816382",
                "38770683462376068329359017136350606949"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-22070-6c0a9842",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f61ac7c65bdb26accb52f9db66313597e759821",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c"
        },
        "digest": {
            "line_hashes": [
                "208574868576084052181496281269117645229",
                "103816366781824705389464638001512836884",
                "182014300055628872874730561507611371105",
                "182502823724481213002400231723413816382",
                "38770683462376068329359017136350606949"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-22070-7931367f",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2139dea5c53e3bb63ac49a6901c85e525a80ee8a",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c",
            "function": "v9fs_vfs_mkdir_dotl"
        },
        "digest": {
            "function_hash": "26637892151865864759980973076957705405",
            "length": 1454.0
        },
        "id": "CVE-2025-22070-8df92fb8",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8522051c58d68146b93e8a5ba9987e83b3d64e7b",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c",
            "function": "v9fs_vfs_mkdir_dotl"
        },
        "digest": {
            "function_hash": "26637892151865864759980973076957705405",
            "length": 1454.0
        },
        "id": "CVE-2025-22070-d341d533",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e",
        "deprecated": false,
        "target": {
            "file": "fs/9p/vfs_inode_dotl.c",
            "function": "v9fs_vfs_mkdir_dotl"
        },
        "digest": {
            "function_hash": "26637892151865864759980973076957705405",
            "length": 1454.0
        },
        "id": "CVE-2025-22070-ecafac64",
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.12.23
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.11
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.2