In the Linux kernel, the following vulnerability has been resolved:
fs/9p: fix NULL pointer dereference on mkdir
When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.:
setfacl -m default:group:simpsons:rwx parentdir
then creating a subdirectory crashed 9p client, as v9fsfidadd() call in function v9fsvfsmkdirdotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fssetcreateacl() call expects a valid non-NULL 'fid' pointer:
[ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] <TASK> [ 37.323621] ? _die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? pagefaultoops (arch/x86/mm/fault.c:714) [ 37.325532] ? searchmoduleextables (kernel/module/main.c:3733) [ 37.326742] ? p9clientwalk (net/9p/client.c:1165) 9pnet [ 37.328006] ? searchbpfextables (kernel/bpf/core.c:804) [ 37.329142] ? excpagefault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asmexcpagefault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9clientwalk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fsfidxattrget (fs/9p/xattr.c:30) 9p [ 37.333824] v9fsfidxattrset (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fssetacl (fs/9p/acl.c:276) 9p [ 37.336112] v9fssetcreateacl (fs/9p/acl.c:307) 9p [ 37.337326] v9fsvfsmkdirdotl (fs/9p/vfsinodedotl.c:411) 9p [ 37.338590] vfsmkdir (fs/namei.c:4313) [ 37.339535] domkdirat (fs/namei.c:4336) [ 37.340465] _x64sysmkdir (fs/namei.c:4354) [ 37.341455] dosyscall64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:130)
Fix this by simply swapping the sequence of these two calls in v9fsvfsmkdirdotl(), i.e. calling v9fssetcreateacl() before v9fsfidadd().
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2139dea5c53e3bb63ac49a6901c85e525a80ee8a", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c" }, "digest": { "line_hashes": [ "208574868576084052181496281269117645229", "103816366781824705389464638001512836884", "182014300055628872874730561507611371105", "182502823724481213002400231723413816382", "38770683462376068329359017136350606949" ], "threshold": 0.9 }, "id": "CVE-2025-22070-14d10299", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c" }, "digest": { "line_hashes": [ "208574868576084052181496281269117645229", "103816366781824705389464638001512836884", "182014300055628872874730561507611371105", "182502823724481213002400231723413816382", "38770683462376068329359017136350606949" ], "threshold": 0.9 }, "id": "CVE-2025-22070-3d59f3cd", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f61ac7c65bdb26accb52f9db66313597e759821", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c", "function": "v9fs_vfs_mkdir_dotl" }, "digest": { "function_hash": "26637892151865864759980973076957705405", "length": 1454.0 }, "id": "CVE-2025-22070-494fec51", "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8522051c58d68146b93e8a5ba9987e83b3d64e7b", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c" }, "digest": { "line_hashes": [ "208574868576084052181496281269117645229", "103816366781824705389464638001512836884", "182014300055628872874730561507611371105", "182502823724481213002400231723413816382", "38770683462376068329359017136350606949" ], "threshold": 0.9 }, "id": "CVE-2025-22070-6c0a9842", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f61ac7c65bdb26accb52f9db66313597e759821", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c" }, "digest": { "line_hashes": [ "208574868576084052181496281269117645229", "103816366781824705389464638001512836884", "182014300055628872874730561507611371105", "182502823724481213002400231723413816382", "38770683462376068329359017136350606949" ], "threshold": 0.9 }, "id": "CVE-2025-22070-7931367f", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2139dea5c53e3bb63ac49a6901c85e525a80ee8a", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c", "function": "v9fs_vfs_mkdir_dotl" }, "digest": { "function_hash": "26637892151865864759980973076957705405", "length": 1454.0 }, "id": "CVE-2025-22070-8df92fb8", "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8522051c58d68146b93e8a5ba9987e83b3d64e7b", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c", "function": "v9fs_vfs_mkdir_dotl" }, "digest": { "function_hash": "26637892151865864759980973076957705405", "length": 1454.0 }, "id": "CVE-2025-22070-d341d533", "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e", "deprecated": false, "target": { "file": "fs/9p/vfs_inode_dotl.c", "function": "v9fs_vfs_mkdir_dotl" }, "digest": { "function_hash": "26637892151865864759980973076957705405", "length": 1454.0 }, "id": "CVE-2025-22070-ecafac64", "signature_type": "Function", "signature_version": "v1" } ]