futex: Don't leak robust_list pointer on exec race

sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()
to check if the calling task is allowed to access another task's
robust_list pointer. This check is racy against a concurrent exec() in the
target process.

During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.

A racy access allows an attacker to exploit a window during which
ptrace_may_access() passes before a target process transitions to a
privileged state via exec().

For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.

This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.

Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.

Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
Link: https://github.com/KSPP/linux/issues/119

diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 4b6da91..880c9bf 100644 (file)
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -39,6 +39,56 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
        return 0;
 }
 
+static inline void __user *futex_task_robust_list(struct task_struct *p, bool compat)
+{
+#ifdef CONFIG_COMPAT
+       if (compat)
+               return p->compat_robust_list;
+#endif
+       return p->robust_list;
+}
+
+static void __user *futex_get_robust_list_common(int pid, bool compat)
+{
+       struct task_struct *p = current;
+       void __user *head;
+       int ret;
+
+       scoped_guard(rcu) {
+               if (pid) {
+                       p = find_task_by_vpid(pid);
+                       if (!p)
+                               return (void __user *)ERR_PTR(-ESRCH);
+               }
+               get_task_struct(p);
+       }
+
+       /*
+        * Hold exec_update_lock to serialize with concurrent exec()
+        * so ptrace_may_access() is checked against stable credentials
+        */
+       ret = down_read_killable(&p->signal->exec_update_lock);
+       if (ret)
+               goto err_put;
+
+       ret = -EPERM;
+       if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
+               goto err_unlock;
+
+       head = futex_task_robust_list(p, compat);
+
+       up_read(&p->signal->exec_update_lock);
+       put_task_struct(p);
+
+       return head;
+
+err_unlock:
+       up_read(&p->signal->exec_update_lock);
+err_put:
+       put_task_struct(p);
+       return (void __user *)ERR_PTR(ret);
+}
+
 /**
  * sys_get_robust_list() - Get the robust-futex list head of a task
  * @pid:       pid of the process [zero for current task]
@@ -49,36 +99,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
                struct robust_list_head __user * __user *, head_ptr,
                size_t __user *, len_ptr)
 {
-       struct robust_list_head __user *head;
-       unsigned long ret;
-       struct task_struct *p;
-
-       rcu_read_lock();
-
-       ret = -ESRCH;
-       if (!pid)
-               p = current;
-       else {
-               p = find_task_by_vpid(pid);
-               if (!p)
-                       goto err_unlock;
-       }
-
-       ret = -EPERM;
-       if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
-               goto err_unlock;
+       struct robust_list_head __user *head = futex_get_robust_list_common(pid, false);
 
-       head = p->robust_list;
-       rcu_read_unlock();
+       if (IS_ERR(head))
+               return PTR_ERR(head);
 
        if (put_user(sizeof(*head), len_ptr))
                return -EFAULT;
        return put_user(head, head_ptr);
-
-err_unlock:
-       rcu_read_unlock();
-
-       return ret;
 }
 
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
@@ -455,36 +483,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
                        compat_uptr_t __user *, head_ptr,
                        compat_size_t __user *, len_ptr)
 {
-       struct compat_robust_list_head __user *head;
-       unsigned long ret;
-       struct task_struct *p;
-
-       rcu_read_lock();
-
-       ret = -ESRCH;
-       if (!pid)
-               p = current;
-       else {
-               p = find_task_by_vpid(pid);
-               if (!p)
-                       goto err_unlock;
-       }
-
-       ret = -EPERM;
-       if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
-               goto err_unlock;
+       struct compat_robust_list_head __user *head = futex_get_robust_list_common(pid, true);
 
-       head = p->compat_robust_list;
-       rcu_read_unlock();
+       if (IS_ERR(head))
+               return PTR_ERR(head);
 
        if (put_user(sizeof(*head), len_ptr))
                return -EFAULT;
        return put_user(ptr_to_compat(head), head_ptr);
-
-err_unlock:
-       rcu_read_unlock();
-
-       return ret;
 }
 #endif /* CONFIG_COMPAT */