Linux Kernel OverlayFS Inode NULL Pointer Dereference Vulnerability

A race condition vulnerability has been identified in the Linux kernel's handling of OverlayFS inodes. When the OverlayFS is being unmounted, calling 'inotify_show_fdinfo()' on a file descriptor that is watching an OverlayFS inode can lead to a NULL pointer dereference. This issue arises because the unmount process sets the superblock's root pointer to NULL, and if a read operation is performed at that moment, it can cause a general protection fault. The vulnerability was discovered by syzkaller.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a general protection fault. This type of fault can result in a system crash or instability.

Reproduction

To reproduce this vulnerability, monitor an OverlayFS inode with 'inotify' while simultaneously unmounting the OverlayFS. This can be done by initiating a read operation on the file descriptor before the unmount process has completed, creating a race condition that dereferences a NULL pointer.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.