Re: [PATCH v2] fanotify: Validating the return value of mnt_ns_from_dentry() before dereferencing mntns->user_ns in do_fanotify_mark()

[Anderson Nascimento <anderson@xxxxxxxxxxxxxxxxxx>]

On Fri, Sep 5, 2025 at 10:48 AM Jan Kara <jack@xxxxxxx> wrote:
>
> On Thu 04-09-25 09:58:12, Anderson Nascimento wrote:
> > Validating the return value of mnt_ns_from_dentry() before
> > dereferencing mntns->user_ns in do_fanotify_mark()
> >
> > The function do_fanotify_mark() does not validate if
> > mnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns.
> > This causes a NULL pointer dereference in do_fanotify_mark() if the
> > path is not a mount namespace object.
> >
> > Fix this by checking mnt_ns_from_dentry()'s return value before
> > dereferencing it. Tested on v6.17-rc4.
>
> I've added the patch to my tree and will push it to Linus. Just as a side
> note for next time: Your mailer seems to have damaged whitespace in the
> patch so I had to manually fix that up. The best is if you can configure
> your mail client to leave whitespace as is but the second best option is to
> just attach the patch as a text/plain attachment. Most of the tooling we
> use for patch handling can deal with that and it's better than having to
> manually fixup whitespace. Thanks!

Thank you! I'll fix that.

>
>                                                                 Honza
> >
> > Before the patch
> >
> > $ gcc fanotify_nullptr.c -o fanotify_nullptr
> > $ mkdir A
> > $ ./fanotify_nullptr
> > Fanotify fd: 3
> > fanotify_mark: Operation not permitted
> > $ unshare -Urm
> > # ./fanotify_nullptr
> > Fanotify fd: 3
> > Killed
> > # cat fanotify_nullptr.c
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <fcntl.h>
> > #include <sys/fanotify.h>
> >
> > int main(void){
> >     int ffd;
> >     ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0);
> >     if(ffd < 0){
> >         perror("fanotify_init");
> >         exit(EXIT_FAILURE);
> >     }
> >
> >     printf("Fanotify fd: %d\n",ffd);
> >
> >     if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS,
> > FAN_MNT_ATTACH, AT_FDCWD, "A") < 0){
> >         perror("fanotify_mark");
> >         exit(EXIT_FAILURE);
> >     }
> >
> > return 0;
> > }
> > #
> >
> > After the patch
> >
> > $ gcc fanotify_nullptr.c -o fanotify_nullptr
> > $ mkdir A
> > $ ./fanotify_nullptr
> > Fanotify fd: 3
> > fanotify_mark: Operation not permitted
> > $ unshare -Urm
> > # ./fanotify_nullptr
> > Fanotify fd: 3
> > fanotify_mark: Invalid argument
> > #
> >
> > [   25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038
> > [   25.695006] #PF: supervisor read access in kernel mode
> > [   25.695012] #PF: error_code(0x0000) - not-present page
> > [   25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0
> > [   25.695025] Oops: Oops: 0000 [#1] SMP NOPTI
> > [   25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not
> > tainted 6.17.0-rc4 #1 PREEMPT(lazy)
> > [   25.695040] Hardware name: VMware, Inc. VMware Virtual
> > Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
> > [   25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950
> > [   25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54
> > 24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b
> > 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28
> > 85 c9
> > [   25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203
> > [   25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220
> > [   25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180
> > [   25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000
> > [   25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7
> > [   25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0
> > [   25.695154] FS:  00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)
> > knlGS:0000000000000000
> > [   25.695162] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0
> > [   25.695201] Call Trace:
> > [   25.695209]  <TASK>
> > [   25.695215]  __x64_sys_fanotify_mark+0x1f/0x30
> > [   25.695222]  do_syscall_64+0x82/0x2c0
> > [   25.695229]  ? do_syscall_64+0x82/0x2c0
> > [   25.695234]  ? memcg1_commit_charge+0x7a/0xa0
> > [   25.695240]  ? mod_memcg_lruvec_state+0xe7/0x2e0
> > [   25.695246]  ? charge_memcg+0x48/0x80
> > [   25.695251]  ? blk_cgroup_congested+0x65/0x70
> > [   25.695258]  ? __lruvec_stat_mod_folio+0x85/0xd0
> > [   25.695272]  ? __folio_mod_stat+0x2d/0x90
> > [   25.695284]  ? set_ptes.isra.0+0x36/0x80
> > [   25.695290]  ? do_anonymous_page+0x100/0x520
> > [   25.695295]  ? __handle_mm_fault+0x54f/0x6a0
> > [   25.695317]  ? anon_inode_getfile_fmode+0x18/0x30
> > [   25.695322]  ? count_memcg_events+0xd6/0x220
> > [   25.695327]  ? handle_mm_fault+0x248/0x360
> > [   25.695333]  ? do_user_addr_fault+0x21a/0x690
> > [   25.695339]  ? clear_bhb_loop+0x50/0xa0
> > [   25.695344]  ? clear_bhb_loop+0x50/0xa0
> > [   25.695348]  ? clear_bhb_loop+0x50/0xa0
> > [   25.695353]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > [   25.695358] RIP: 0033:0x7f8733cd26ae
> > [   25.695373] Code: f8 48 8d 75 f8 e8 12 3c ff ff c9 48 83 f8 08 0f
> > 95 c0 0f b6 c0 f7 d8 c3 0f 1f 40 00 f3 0f 1e fa 41 89 ca b8 2d 01 00
> > 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b
> > 15 19
> > [   25.695613] RSP: 002b:00007ffcd6842cd8 EFLAGS: 00000206 ORIG_RAX:
> > 000000000000012d
> > [   25.695820] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8733cd26ae
> > [   25.695992] RDX: 0000000001000000 RSI: 0000000000000111 RDI: 0000000000000003
> > [   25.696141] RBP: 00007ffcd6842cf0 R08: 00000000004012a7 R09: 0000000000000000
> > [   25.696273] R10: 00000000ffffff9c R11: 0000000000000206 R12: 00007ffcd6842e18
> > [   25.696438] R13: 0000000000000001 R14: 00007f8733e15000 R15: 0000000000402e00
> > [   25.696616]  </TASK>
> > [   25.696752] Modules linked in: rfkill nft_fib_inet nft_fib_ipv4
> > nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
> > nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
> > nf_defrag_ipv4 nf_tables qrtr intel_rapl_msr intel_rapl_common
> > intel_uncore_frequency_common intel_pmc_core pmt_telemetry
> > pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec rapl
> > vmw_balloon pcspkr i2c_piix4 i2c_smbus joydev loop vsock_loopback
> > vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock zram
> > vmw_vmci lz4hc_compress lz4_compress xfs polyval_clmulni vmwgfx
> > ghash_clmulni_intel vmxnet3 nvme drm_ttm_helper ata_generic ttm
> > pata_acpi nvme_tcp nvme_fabrics nvme_core nvme_keyring nvme_auth
> > serio_raw sunrpc be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls cxgb3i cxgb3
> > mdio libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp
> > libiscsi scsi_transport_iscsi scsi_dh_rdac scsi_dh_emc scsi_dh_alua
> > fuse i2c_dev dm_multipath nfnetlink
> > [   25.698055] CR2: 0000000000000038
> > [   25.698202] ---[ end trace 0000000000000000 ]---
> > [   25.698385] RIP: 0010:do_fanotify_mark+0x817/0x950
> > [   25.698595] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54
> > 24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b
> > 5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28
> > 85 c9
> > [   25.698921] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203
> > [   25.699076] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220
> > [   25.699232] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180
> > [   25.699409] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000
> > [   25.699645] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7
> > [   25.699818] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0
> > [   25.699970] FS:  00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)
> > knlGS:0000000000000000
> > [   25.700125] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   25.700280] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0
> > [   25.700495] note: fanotify_nullpt[1478] exited with irqs disabled
> >
> > Fixes: 58f5fbeb367f ("fanotify: support watching filesystems and
> > mounts inside userns")
> > Signed-off-by: Anderson Nascimento <anderson@xxxxxxxxxxxxxxxxxx>
> > ---
> > Changes in v2:
> > - Added Signed-off-by and Fixes tags.
> > - Changed subject prefix to "fanotify:".
> > - Link to v1: https://lore.kernel.org/linux-fsdevel/CAPhRvkwpLt03-OohQiBh_RyD+DsgTcRo-KmoqcvZ-3vNcCo=Uw@xxxxxxxxxxxxxx/
> >
> >  fs/notify/fanotify/fanotify_user.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/notify/fanotify/fanotify_user.c
> > b/fs/notify/fanotify/fanotify_user.c
> > index b192ee068a7a..77046be7d3c1 100644
> > --- a/fs/notify/fanotify/fanotify_user.c
> > +++ b/fs/notify/fanotify/fanotify_user.c
> > @@ -1999,7 +1999,10 @@ static int do_fanotify_mark(int fanotify_fd,
> > unsigned int flags, __u64 mask,
> >                 user_ns = path.mnt->mnt_sb->s_user_ns;
> >                 obj = path.mnt->mnt_sb;
> >         } else if (obj_type == FSNOTIFY_OBJ_TYPE_MNTNS) {
> > +               ret = -EINVAL;
> >                 mntns = mnt_ns_from_dentry(path.dentry);
> > +               if(!mntns)
> > +                       goto path_put_and_out;
> >                 user_ns = mntns->user_ns;
> >                 obj = mntns;
> >         }
> >
> > --
> > Anderson Nascimento
> > Allele Security Intelligence
> > https://www.allelesecurity.com
> --
> Jan Kara <jack@xxxxxxxx>
> SUSE Labs, CR

-- 
Anderson Nascimento
Allele Security Intelligence
https://www.allelesecurity.com