DEBIAN-CVE-2025-40072

In the Linux kernel, the following vulnerability has been resolved: fanotify: Validate the return value of mntnsfromdentry() before dereferencing The function dofanotifymark() does not validate if mntnsfromdentry() returns NULL before dereferencing mntns->userns. This causes a NULL pointer dereference in dofanotifymark() if the path is not a mount namespace object. Fix this by checking mntnsfromdentry()'s return value before dereferencing it. Before the patch $ gcc fanotifynullptr.c -o fanotifynullptr $ mkdir A $ ./fanotifynullptr Fanotify fd: 3 fanotifymark: Operation not permitted $ unshare -Urm Fanotify fd: 3 Killed int main(void){ int ffd; ffd = fanotifyinit(FANCLASSNOTIF | FANREPORTMNT, 0); if(ffd < 0){ perror("fanotifyinit"); exit(EXITFAILURE); } printf("Fanotify fd: %d\n",ffd); if(fanotifymark(ffd, FANMARKADD | FANMARKMNTNS, FANMNTATTACH, ATFDCWD, "A") < 0){ perror("fanotifymark"); exit(EXITFAILURE); } return 0; } After the patch $ gcc fanotifynullptr.c -o fanotifynullptr $ mkdir A $ ./fanotifynullptr Fanotify fd: 3 fanotifymark: Operation not permitted $ unshare -Urm Fanotify fd: 3 fanotifymark: Invalid argument [ 25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038 [ 25.695006] #PF: supervisor read access in kernel mode [ 25.695012] #PF: errorcode(0x0000) - not-present page [ 25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0 [ 25.695025] Oops: Oops: 0000 [#1] SMP NOPTI [ 25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotifynullpt Not tainted 6.17.0-rc4 #1 PREEMPT(lazy) [ 25.695040] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 25.695049] RIP: 0010:dofanotifymark+0x817/0x950 [ 25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54 24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28 85 c9 [ 25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203 [ 25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220 [ 25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180 [ 25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000 [ 25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7 [ 25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0 [ 25.695154] FS: 00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000) knlGS:0000000000000000 [ 25.695162] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0 [ 25.695201] Call Trace: [ 25.695209] <TASK> [ 25.695215] _x64sysfanotifymark+0x1f/0x30 [ 25.695222] dosyscall64+0x82/0x2c0 ...