Linux Kernel Mount Propagation NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's mount propagation mechanism can lead to a NULL pointer dereference. This issue arises in the 'propagate_mnt()' function, which is responsible for handling mount propagation between source and destination mount trees. The vulnerability occurs because the function fails to properly terminate at peers of the source mount when propagating, particularly in scenarios involving slave mounts. As a result, the function can dereference a NULL pointer, causing a crash. This vulnerability is accessible to unprivileged users, especially those with unprivileged user namespaces.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. However, such dereferences can often be exploited to execute arbitrary code in the kernel context.

Reproduction

The vulnerability can be reproduced by using unprivileged user namespaces to mount a propagation tree. The 'propagate_mnt()' function will then fail to correctly handle the termination at source mount peers, allowing the NULL pointer dereference to occur.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.