Commit 6b54082c authored by Pranav Tyagi's avatar Pranav Tyagi Committed by Thomas Gleixner
Browse files

futex: Don't leak robust_list pointer on exec race 



sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()
to check if the calling task is allowed to access another task's
robust_list pointer. This check is racy against a concurrent exec() in the
target process.

During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.

A racy access allows an attacker to exploit a window during which
ptrace_may_access() passes before a target process transitions to a
privileged state via exec().

For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.

This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.

Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.

Suggested-by: default avatarJann Horn <jann@thejh.net>
Signed-off-by: default avatarPranav Tyagi <pranav.tyagi03@gmail.com>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
Link: https://github.com/KSPP/linux/issues/119
parent ed323aed

kernel/futex/syscalls.c

+56 −50
Original line number Diff line number Diff line
@@ -39,46 +39,74 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, 
	return 0;

}



/**

 * sys_get_robust_list() - Get the robust-futex list head of a task

 * @pid:	pid of the process [zero for current task]

 * @head_ptr:	pointer to a list-head pointer, the kernel fills it in

 * @len_ptr:	pointer to a length field, the kernel fills in the header size

 */

SYSCALL_DEFINE3(get_robust_list, int, pid,

		struct robust_list_head __user * __user *, head_ptr,

		size_t __user *, len_ptr)

static inline void __user *futex_task_robust_list(struct task_struct *p, bool compat)

{

	struct robust_list_head __user *head;

	unsigned long ret;

	struct task_struct *p;

#ifdef CONFIG_COMPAT

	if (compat)

		return p->compat_robust_list;

#endif

	return p->robust_list;

}



	rcu_read_lock();

static void __user *futex_get_robust_list_common(int pid, bool compat)

{

	struct task_struct *p = current;

	void __user *head;

	int ret;



	ret = -ESRCH;

	if (!pid)

		p = current;

	else {

	scoped_guard(rcu) {

		if (pid) {

			p = find_task_by_vpid(pid);

			if (!p)

			goto err_unlock;

				return (void __user *)ERR_PTR(-ESRCH);

		}

		get_task_struct(p);

	}



	/*

	 * Hold exec_update_lock to serialize with concurrent exec()

	 * so ptrace_may_access() is checked against stable credentials

	 */

	ret = down_read_killable(&p->signal->exec_update_lock);

	if (ret)

		goto err_put;



	ret = -EPERM;

	if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))

		goto err_unlock;



	head = p->robust_list;

	rcu_read_unlock();

	head = futex_task_robust_list(p, compat);



	if (put_user(sizeof(*head), len_ptr))

		return -EFAULT;

	return put_user(head, head_ptr);

	up_read(&p->signal->exec_update_lock);

	put_task_struct(p);



	return head;



err_unlock:

	rcu_read_unlock();

	up_read(&p->signal->exec_update_lock);

err_put:

	put_task_struct(p);

	return (void __user *)ERR_PTR(ret);

}



	return ret;

/**

 * sys_get_robust_list() - Get the robust-futex list head of a task

 * @pid:	pid of the process [zero for current task]

 * @head_ptr:	pointer to a list-head pointer, the kernel fills it in

 * @len_ptr:	pointer to a length field, the kernel fills in the header size

 */

SYSCALL_DEFINE3(get_robust_list, int, pid,

		struct robust_list_head __user * __user *, head_ptr,

		size_t __user *, len_ptr)

{

	struct robust_list_head __user *head = futex_get_robust_list_common(pid, false);



	if (IS_ERR(head))

		return PTR_ERR(head);



	if (put_user(sizeof(*head), len_ptr))

		return -EFAULT;

	return put_user(head, head_ptr);

}



long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
@@ -455,36 +483,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, 
			compat_uptr_t __user *, head_ptr,

			compat_size_t __user *, len_ptr)

{

	struct compat_robust_list_head __user *head;

	unsigned long ret;

	struct task_struct *p;

	struct compat_robust_list_head __user *head = futex_get_robust_list_common(pid, true);



	rcu_read_lock();



	ret = -ESRCH;

	if (!pid)

		p = current;

	else {

		p = find_task_by_vpid(pid);

		if (!p)

			goto err_unlock;

	}



	ret = -EPERM;

	if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))

		goto err_unlock;



	head = p->compat_robust_list;

	rcu_read_unlock();

	if (IS_ERR(head))

		return PTR_ERR(head);



	if (put_user(sizeof(*head), len_ptr))

		return -EFAULT;

	return put_user(ptr_to_compat(head), head_ptr);



err_unlock:

	rcu_read_unlock();



	return ret;

}

#endif /* CONFIG_COMPAT */