Linux Kernel inotify Invalid Watch Descriptor Event Reporting Vulnerability

A vulnerability in the Linux kernel's inotify implementation can lead to incorrect event reporting to userspace. This issue arises when the inotify_freeing_mark() function races with inotify_handle_inode_event(). During this race condition, inotify_handle_inode_event() may observe that the watch descriptor (wd) has been reset to -1, indicating that it has been removed, and report this invalid value to the inotify listener. Such a discrepancy can confuse the listener. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause inotify listeners to receive invalid watch descriptor values, leading to potential confusion or misinterpretation of file system events.

Reproduction

The vulnerability can be reproduced by creating a race condition between the inotify_freeing_mark() and inotify_handle_inode_event() functions. This can be achieved by rapidly adding and removing inotify watches on a file or directory, causing the watch descriptor to be reset to -1 before the event can be properly processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.