Re: CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec

[Michal Hocko <mhocko@suse.com>]

Based on a follow up update from Oleg[1] I would like to dispute this
CVE.

TL;DR version
: with or without this patch the "if (fs->in_exec)" check in copy_fs()
: can obviously hit the 1 -> 0 transition.
: 
: This is harmless, but should be probably fixed just to avoid another report
: from KCSAN.

On Wed 16-04-25 16:12:00, Greg KH wrote:
> Description
> ===========
> 
> In the Linux kernel, the following vulnerability has been resolved:
> 
> exec: fix the racy usage of fs_struct->in_exec
> 
> check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
> paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
> fails we have the following race:
> 
> 	T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex
> 
> 	T2 sets fs->in_exec = 1
> 
> 	T1 clears fs->in_exec
> 
> 	T2 continues with fs->in_exec == 0
> 
> Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.
> 
> The Linux kernel CVE team has assigned CVE-2025-22029 to this issue.
> 
> 
> Affected and fixed versions
> ===========================
> 
> 	Fixed in 6.6.87 with commit 753a620a7f8e134b444f89fe90873234e894e21a
> 	Fixed in 6.12.23 with commit e2d8e7bd3314485e0b3b08380c659b3d1d67ed6a
> 	Fixed in 6.13.11 with commit a6b5070721503fb6021ebed51c925ffc66b1c5ab
> 	Fixed in 6.14.2 with commit b519f2e5800fe2391b7545ba6889df795828e885
> 	Fixed in 6.15-rc1 with commit af7bb0d2ca459f15cb5ca604dab5d9af103643f0
> 
> Please see https://www.kernel.org for a full list of currently supported
> kernel versions by the kernel community.
> 
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions.  The official CVE entry at
> 	https://cve.org/CVERecord/?id=CVE-2025-22029
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
> 
> 
> Affected files
> ==============
> 
> The file(s) affected by this issue are:
> 	fs/exec.c
> 
> 
> Mitigation
> ==========
> 
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes.  Individual
> changes are never tested alone, but rather are part of a larger kernel
> release.  Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all.  If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> 	https://git.kernel.org/stable/c/753a620a7f8e134b444f89fe90873234e894e21a
> 	https://git.kernel.org/stable/c/e2d8e7bd3314485e0b3b08380c659b3d1d67ed6a
> 	https://git.kernel.org/stable/c/a6b5070721503fb6021ebed51c925ffc66b1c5ab
> 	https://git.kernel.org/stable/c/b519f2e5800fe2391b7545ba6889df795828e885
> 	https://git.kernel.org/stable/c/af7bb0d2ca459f15cb5ca604dab5d9af103643f0

-- 
Michal Hocko
SUSE Labs