Linux Kernel Fanotify NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's fanotify implementation. The issue arises in the do_fanotify_mark() function, which fails to validate the return value of mnt_ns_from_dentry() before dereferencing mntns->user_ns. This oversight leads to a NULL pointer dereference when the path does not correspond to a mount namespace object. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the fanotify process. The error is reported as a supervisor read access violation in kernel mode, attempting to access a non-present page, which is a common indication of a NULL pointer dereference in the Linux kernel.

Reproduction

The vulnerability can be reproduced by compiling a C program that uses the fanotify API to watch mount namespaces. The program should attempt to add a fanotify mark for a directory that is not a mount namespace object. Without the patch, this operation will cause a NULL pointer dereference, crashing the program. After applying the patch, the same operation will fail with an 'Invalid argument' error, indicating that the vulnerability has been successfully mitigated.

Remediation

Users can upgrade to the patched version of the Linux kernel, which includes the necessary validation to prevent the NULL pointer dereference. The specific commit that addresses this vulnerability is 62e59ffe8787b5550ccff70c30b6f6be6a3ac3dd.