1.6 KiB
CVE-2025-39717
Description
In the Linux kernel, the following vulnerability has been resolved:open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONEAs described in commit 7a54947e727b ('Merge patch series "fs: allowchanging idmappings"'), open_tree_attr(2) was necessary in order toallow for a detached mount to be created and have its idmappings changedwithout the risk of any racing threads operating on it. For this reason,mount_setattr(2) still does not allow for id-mappings to be changed.However, there was a bug in commit 2462651ffa76 ("fs: allow changingidmappings") which allowed users to bypass this restriction by callingopen_tree_attr(2) without OPEN_TREE_CLONE.can_idmap_mount() prevented this bug from allowing an attachedmountpoint's id-mapping from being modified (thanks to an is_anon_ns()check), but this still allows for detached (but visible) mounts to havetheir be id-mapping changed. This risks the same UAF and locking issuesas described in the merge commit, and was likely unintentional.
POC
Reference
No PoCs from references.