Bug 2393538 (CVE-2025-39717) - CVE-2025-39717 kernel: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE
Summary: CVE-2025-39717 kernel: open_tree_attr: do not allow id-mapping changes withou...
Keywords:
Status: NEW
Alias: CVE-2025-39717
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-05 18:05 UTC by OSIDB Bzimport
Modified: 2025-09-15 14:05 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-05 18:05:04 UTC 
In the Linux kernel, the following vulnerability has been resolved:

open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE

As described in commit 7a54947e727b ('Merge patch series "fs: allow
changing idmappings"'), open_tree_attr(2) was necessary in order to
allow for a detached mount to be created and have its idmappings changed
without the risk of any racing threads operating on it. For this reason,
mount_setattr(2) still does not allow for id-mappings to be changed.

However, there was a bug in commit 2462651ffa76 ("fs: allow changing
idmappings") which allowed users to bypass this restriction by calling
open_tree_attr(2) *without* OPEN_TREE_CLONE.

can_idmap_mount() prevented this bug from allowing an attached
mountpoint's id-mapping from being modified (thanks to an is_anon_ns()
check), but this still allows for detached (but visible) mounts to have
their be id-mapping changed. This risks the same UAF and locking issues
as described in the merge commit, and was likely unintentional.
Comment 1 Keith Grant 2025-09-05 19:33:12 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025090551-CVE-2025-39717-9e8a@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.