Home

Description

In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-09 | Updated 2025-12-09 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6511984d1aa1360181bcafb1ca75df7f291ef237
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 3b4222494489f6d4b8705a496dab03384b7ca998
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b524455a51feb6013df3a5dba3160487b2e8e22a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6b54082c3ed4dc9821cdf0edb17302355cc5bb45
affected

Default status
affected

6.1.159 (semver)
unaffected

6.6.117 (semver)
unaffected

6.12.58 (semver)
unaffected

6.17.8 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/6511984d1aa1360181bcafb1ca75df7f291ef237

git.kernel.org/...c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4

git.kernel.org/...c/3b4222494489f6d4b8705a496dab03384b7ca998

git.kernel.org/...c/b524455a51feb6013df3a5dba3160487b2e8e22a

git.kernel.org/...c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45

cve.org (CVE-2025-40341)

nvd.nist.gov (CVE-2025-40341)

Download JSON