From: Thomas Gleixner <tglx@linutronix.de>
To: Pranav Tyagi <pranav.tyagi03@gmail.com>
Cc: "Ingo Molnar" <mingo@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
linux-kernel@vger.kernel.org, jann@thejh.net,
keescook@chromium.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linux.dev
Subject: Re: [PATCH] futex: don't leak robust_list pointer on exec race
Date: Fri, 13 Jun 2025 15:08:47 +0200 [thread overview]
Message-ID: <87frg3ss9s.ffs@tglx> (raw)
In-Reply-To: <CAH4c4jLjSBxbd3bqkdgcCSWqXURratANgnbq9negrSU283xHpg@mail.gmail.com>
On Wed, Jun 11 2025 at 19:33, Pranav Tyagi wrote:
> On Mon, Jun 9, 2025 at 3:15 PM Thomas Gleixner <tglx@linutronix.de> wrote:
> Does the revised version below address the concerns more effectively
> or does it still need a bit more seasoning?
>
> "Currently, sys_get_robust_list() and compat_get_robust_list() perform a
> ptrace_may_access() check to verify if the calling task is allowed to
> query another task’s robust_list pointer. However, this check is racy
> against a concurrent exec() in the target process.
>
> During exec(), a task's credentials and memory mappings can change, and
> the task may transition from a non-privileged binary to a privileged one
> (e.g., a setuid binary). If get_robust_list() performs ptrace_may_access()
> before this transition, it may wrongly allow access to sensitive
> information after the target becomes privileged.
>
> To address this, a read lock is taken on signal->exec_update_lock prior
> to invoking ptrace_may_access() and accessing the robust_list. This
> ensures that the target task's exec state remains stable during the
> check, allowing for consistent and synchronized validation of
> credentials."
That's way better, but it still does not explain what the consequences
of the racy access are.
>>
>> You really did not have a better idea than copying all of that logic
>> into the compat code?
>
> As I’m still learning, I wasn’t quite sure how to avoid
> duplication there. Would factoring out the common logic into a helper function
> be the right direction? I’d be grateful for your suggestion.
Exactly.
Thanks,
tglx
next prev parent reply other threads:[~2025-06-13 13:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-07 6:44 [PATCH] futex: don't leak robust_list pointer on exec race Pranav Tyagi
2025-06-09 9:45 ` Thomas Gleixner
2025-06-11 14:03 ` Pranav Tyagi
2025-06-13 13:08 ` Thomas Gleixner [this message]
2025-06-18 6:20 ` Pranav Tyagi
2025-07-24 17:37 ` Kees Cook
2025-07-25 11:43 ` Pranav Tyagi
2025-07-30 14:51 ` Pranav Tyagi
2025-07-30 17:16 ` Thomas Gleixner
2025-08-04 7:01 ` Pranav Tyagi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87frg3ss9s.ffs@tglx \
--to=tglx@linutronix.de \
--cc=andrealmeid@igalia.com \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pranav.tyagi03@gmail.com \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox