CVE-2025-21654 - Resolving Vulnerability in Linux Kernel: OVL Encoding FID from Inode with No Alias

The Linux kernel has a resolved vulnerability relating to the support encoding file identifier (fid) from an inode when there is no alias available. The vulnerability can cause the WARN_ON() assertion to be triggered by userspace when calling the inotify_show_fdinfo() function for an overlayfs (overlay file system) watched inode. This issue has been reported by Dmitry Safonov and can lead to failures in reporting fanotify FAN_DELETE_SELF events, as shown in the Linux Test Project (LTP) test case. However, a fix in the ovl_encode_fh() function can resolve this failure.

Code Snippet

def ovl_encode_fh():
    ...
    if not alias:
        return error
    ...

The Problem

Dmitry Safonov reported a vulnerability that a WARN_ON() assertion can be triggered by userspace when calling the inotify_show_fdinfo() function for an overlayfs watched inode, specifically when the inode's dentry aliases were discarded with drop_caches. This assertion was removed because the impact of failing to encode a file handle for an overlayfs inode can lead to further issues.

As demonstrated in the LTP test case available here, the failure to encode an overlayfs file handle from a non-aliased inode can lead to a failure in reporting an fid with FAN_DELETE_SELF fanotify events. Dmitry's analysis of the issue showed that the ovl_encode_fh() function fails if it can't find an alias for the inode, but this failure can be fixed.

Further Analysis and Solution

When analyzing the problem, Dmitry pointed out that ovl_encode_fh() seldom uses the alias it tries to locate, and in the case of non-decodable file handles, the function never actually needs the alias to encode a file handle. As a result, ovl_encode_fh() does not necessarily need the alias in order to function correctly in common scenarios, such as dealing with FAN_DELETE_SELF fanotify events.

The solution is to modify the ovl_encode_fh() function to defer finding an alias until it is genuinely required. This way, ovl_encode_fh() will not fail when there is no alias available, allowing the function to work correctly in most cases.

Conclusion

The Linux kernel vulnerability relating to the encoding of fids from inodes with no alias in the overlay file system has been resolved. By modifying the ovl_encode_fh() function to defer finding an alias until it is needed, the vulnerability can be fixed, preventing potential failures in reporting fanotify FAN_DELETE_SELF events and WARN_ON() assertions from being triggered.

Timeline

Published on: 01/19/2025 11:15:11 UTC
Last modified on: 01/24/2025 16:15:38 UTC