kernel/futex/syscalls.c | 108 +++++++++++++++++++++------------------- 1 file changed, 58 insertions(+), 50 deletions(-)
sys_get_robust_list() and compat_get_robust_list() use
ptrace_may_access() to check if the calling task is allowed to access
another task's robust_list pointer. This check is racy against a
concurrent exec() in the target process.
During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.
A racy access allows an attacker to exploit a window
during which ptrace_may_access() passes before a target process
transitions to a privileged state via exec().
For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.
This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.
Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.
Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
Suggested-by: Jann Horn <jann@thejh.net>
Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
Link: https://github.com/KSPP/linux/issues/119
---
changed in v4:
- added task_robust_list() function
changed in v3:
- replaced RCU with scoped_guard(rcu)
- corrected error return type cast
- added IS_ENABLED(CONFIG_COMPAT) for ensuring compatability
- removed stray newlines and unnecessary line breaks
changed in v2:
- improved changelog
- helper function for common part of compat and native syscalls
kernel/futex/syscalls.c | 108 +++++++++++++++++++++-------------------
1 file changed, 58 insertions(+), 50 deletions(-)
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 4b6da9116aa6..0da33abc2f17 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -39,6 +39,58 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
return 0;
}
+static inline void __user *task_robust_list(struct task_struct *p, bool compat)
+{
+#ifdef CONFIG_COMPAT
+ if (compat)
+ return p->compat_robust_list;
+#endif
+ return p->robust_list;
+}
+
+static void __user *get_robust_list_common(int pid, bool compat)
+{
+ struct task_struct *p;
+ void __user *head;
+ unsigned long ret;
+
+ p = current;
+
+ scoped_guard(rcu) {
+ if (pid) {
+ p = find_task_by_vpid(pid);
+ if (!p)
+ return (void __user *)ERR_PTR(-ESRCH);
+ }
+ get_task_struct(p);
+ }
+
+ /*
+ * Hold exec_update_lock to serialize with concurrent exec()
+ * so ptrace_may_access() is checked against stable credentials
+ */
+ ret = down_read_killable(&p->signal->exec_update_lock);
+ if (ret)
+ goto err_put;
+
+ ret = -EPERM;
+ if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
+ goto err_unlock;
+
+ head = task_robust_list(p, compat);
+
+ up_read(&p->signal->exec_update_lock);
+ put_task_struct(p);
+
+ return head;
+
+err_unlock:
+ up_read(&p->signal->exec_update_lock);
+err_put:
+ put_task_struct(p);
+ return (void __user *)ERR_PTR(ret);
+}
+
/**
* sys_get_robust_list() - Get the robust-futex list head of a task
* @pid: pid of the process [zero for current task]
@@ -49,36 +101,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
struct robust_list_head __user * __user *, head_ptr,
size_t __user *, len_ptr)
{
- struct robust_list_head __user *head;
- unsigned long ret;
- struct task_struct *p;
-
- rcu_read_lock();
-
- ret = -ESRCH;
- if (!pid)
- p = current;
- else {
- p = find_task_by_vpid(pid);
- if (!p)
- goto err_unlock;
- }
+ struct robust_list_head __user *head = get_robust_list_common(pid, false);
- ret = -EPERM;
- if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
- goto err_unlock;
-
- head = p->robust_list;
- rcu_read_unlock();
+ if (IS_ERR(head))
+ return PTR_ERR(head);
if (put_user(sizeof(*head), len_ptr))
return -EFAULT;
return put_user(head, head_ptr);
-
-err_unlock:
- rcu_read_unlock();
-
- return ret;
}
long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
@@ -455,36 +485,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
compat_uptr_t __user *, head_ptr,
compat_size_t __user *, len_ptr)
{
- struct compat_robust_list_head __user *head;
- unsigned long ret;
- struct task_struct *p;
-
- rcu_read_lock();
-
- ret = -ESRCH;
- if (!pid)
- p = current;
- else {
- p = find_task_by_vpid(pid);
- if (!p)
- goto err_unlock;
- }
-
- ret = -EPERM;
- if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
- goto err_unlock;
+ struct compat_robust_list_head __user *head = get_robust_list_common(pid, true);
- head = p->compat_robust_list;
- rcu_read_unlock();
+ if (IS_ERR(head))
+ return PTR_ERR(head);
if (put_user(sizeof(*head), len_ptr))
return -EFAULT;
return put_user(ptr_to_compat(head), head_ptr);
-
-err_unlock:
- rcu_read_unlock();
-
- return ret;
}
#endif /* CONFIG_COMPAT */
--
2.49.0Hi Pranav,
Thanks for your patch! Some feedback bellow.
Em 13/08/2025 04:42, Pranav Tyagi escreveu:
> sys_get_robust_list() and compat_get_robust_list() use
> ptrace_may_access() to check if the calling task is allowed to access
> another task's robust_list pointer. This check is racy against a
> concurrent exec() in the target process.
>
> During exec(), a task may transition from a non-privileged binary to a
> privileged one (e.g., setuid binary) and its credentials/memory mappings
> may change. If get_robust_list() performs ptrace_may_access() before
> this transition, it may erroneously allow access to sensitive information
> after the target becomes privileged.
>
> A racy access allows an attacker to exploit a window
> during which ptrace_may_access() passes before a target process
> transitions to a privileged state via exec().
>
> For example, consider a non-privileged task T that is about to execute a
> setuid-root binary. An attacker task A calls get_robust_list(T) while T
> is still unprivileged. Since ptrace_may_access() checks permissions
> based on current credentials, it succeeds. However, if T begins exec
> immediately afterwards, it becomes privileged and may change its memory
> mappings. Because get_robust_list() proceeds to access T->robust_list
> without synchronizing with exec() it may read user-space pointers from a
> now-privileged process.
>
> This violates the intended post-exec access restrictions and could
> expose sensitive memory addresses or be used as a primitive in a larger
> exploit chain. Consequently, the race can lead to unauthorized
> disclosure of information across privilege boundaries and poses a
> potential security risk.
>
> Take a read lock on signal->exec_update_lock prior to invoking
> ptrace_may_access() and accessing the robust_list/compat_robust_list.
> This ensures that the target task's exec state remains stable during the
> check, allowing for consistent and synchronized validation of
> credentials.
>
> Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> Suggested-by: Jann Horn <jann@thejh.net>
> Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
> Link: https://github.com/KSPP/linux/issues/119
> ---
> changed in v4:
> - added task_robust_list() function
> changed in v3:
> - replaced RCU with scoped_guard(rcu)
> - corrected error return type cast
> - added IS_ENABLED(CONFIG_COMPAT) for ensuring compatability
> - removed stray newlines and unnecessary line breaks
> changed in v2:
> - improved changelog
> - helper function for common part of compat and native syscalls
>
> kernel/futex/syscalls.c | 108 +++++++++++++++++++++-------------------
> 1 file changed, 58 insertions(+), 50 deletions(-)
>
> diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
> index 4b6da9116aa6..0da33abc2f17 100644
> --- a/kernel/futex/syscalls.c
> +++ b/kernel/futex/syscalls.c
> @@ -39,6 +39,58 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
> return 0;
> }
>
> +static inline void __user *task_robust_list(struct task_struct *p, bool compat)
Function names inside of kernel/futex/ have the futex_ prefix
> +{
> +#ifdef CONFIG_COMPAT
> + if (compat)
> + return p->compat_robust_list;
> +#endif
> + return p->robust_list;
> +}
> +
> +static void __user *get_robust_list_common(int pid, bool compat)
Same here
> +{
> + struct task_struct *p;
> + void __user *head;
> + unsigned long ret;
down_read_killable() returns a int, but you are storing the return value
in an unsigned long.
> +
> + p = current;
Could this be initialized in the declaration?
> +
> + scoped_guard(rcu) {
> + if (pid) {
> + p = find_task_by_vpid(pid);
> + if (!p)
> + return (void __user *)ERR_PTR(-ESRCH);
> + }
> + get_task_struct(p);
> + }
> +
> + /*
> + * Hold exec_update_lock to serialize with concurrent exec()
> + * so ptrace_may_access() is checked against stable credentials
> + */
> + ret = down_read_killable(&p->signal->exec_update_lock);
> + if (ret)
> + goto err_put;
> +
> + ret = -EPERM;
> + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> + goto err_unlock;
> +
> + head = task_robust_list(p, compat);
> +
> + up_read(&p->signal->exec_update_lock);
> + put_task_struct(p);
> +
> + return head;
> +
> +err_unlock:
> + up_read(&p->signal->exec_update_lock);
> +err_put:
> + put_task_struct(p);
> + return (void __user *)ERR_PTR(ret);
> +}
> +
> /**
> * sys_get_robust_list() - Get the robust-futex list head of a task
> * @pid: pid of the process [zero for current task]
> @@ -49,36 +101,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
> struct robust_list_head __user * __user *, head_ptr,
> size_t __user *, len_ptr)
> {
> - struct robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> + struct robust_list_head __user *head = get_robust_list_common(pid, false);
>
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> -
> - head = p->robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(head, head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
>
> long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
> @@ -455,36 +485,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
> compat_uptr_t __user *, head_ptr,
> compat_size_t __user *, len_ptr)
> {
> - struct compat_robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> -
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> + struct compat_robust_list_head __user *head = get_robust_list_common(pid, true);
>
> - head = p->compat_robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(ptr_to_compat(head), head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
> #endif /* CONFIG_COMPAT */
>
On Fri, Sep 5, 2025 at 1:22 AM André Almeida <andrealmeid@igalia.com> wrote:
>
> Hi Pranav,
>
> Thanks for your patch! Some feedback bellow.
>
> Em 13/08/2025 04:42, Pranav Tyagi escreveu:
> > sys_get_robust_list() and compat_get_robust_list() use
> > ptrace_may_access() to check if the calling task is allowed to access
> > another task's robust_list pointer. This check is racy against a
> > concurrent exec() in the target process.
> >
> > During exec(), a task may transition from a non-privileged binary to a
> > privileged one (e.g., setuid binary) and its credentials/memory mappings
> > may change. If get_robust_list() performs ptrace_may_access() before
> > this transition, it may erroneously allow access to sensitive information
> > after the target becomes privileged.
> >
> > A racy access allows an attacker to exploit a window
> > during which ptrace_may_access() passes before a target process
> > transitions to a privileged state via exec().
> >
> > For example, consider a non-privileged task T that is about to execute a
> > setuid-root binary. An attacker task A calls get_robust_list(T) while T
> > is still unprivileged. Since ptrace_may_access() checks permissions
> > based on current credentials, it succeeds. However, if T begins exec
> > immediately afterwards, it becomes privileged and may change its memory
> > mappings. Because get_robust_list() proceeds to access T->robust_list
> > without synchronizing with exec() it may read user-space pointers from a
> > now-privileged process.
> >
> > This violates the intended post-exec access restrictions and could
> > expose sensitive memory addresses or be used as a primitive in a larger
> > exploit chain. Consequently, the race can lead to unauthorized
> > disclosure of information across privilege boundaries and poses a
> > potential security risk.
> >
> > Take a read lock on signal->exec_update_lock prior to invoking
> > ptrace_may_access() and accessing the robust_list/compat_robust_list.
> > This ensures that the target task's exec state remains stable during the
> > check, allowing for consistent and synchronized validation of
> > credentials.
> >
> > Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> > Suggested-by: Jann Horn <jann@thejh.net>
> > Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
> > Link: https://github.com/KSPP/linux/issues/119
> > ---
> > changed in v4:
> > - added task_robust_list() function
> > changed in v3:
> > - replaced RCU with scoped_guard(rcu)
> > - corrected error return type cast
> > - added IS_ENABLED(CONFIG_COMPAT) for ensuring compatability
> > - removed stray newlines and unnecessary line breaks
> > changed in v2:
> > - improved changelog
> > - helper function for common part of compat and native syscalls
> >
> > kernel/futex/syscalls.c | 108 +++++++++++++++++++++-------------------
> > 1 file changed, 58 insertions(+), 50 deletions(-)
> >
> > diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
> > index 4b6da9116aa6..0da33abc2f17 100644
> > --- a/kernel/futex/syscalls.c
> > +++ b/kernel/futex/syscalls.c
> > @@ -39,6 +39,58 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
> > return 0;
> > }
> >
> > +static inline void __user *task_robust_list(struct task_struct *p, bool compat)
>
> Function names inside of kernel/futex/ have the futex_ prefix
>
> > +{
> > +#ifdef CONFIG_COMPAT
> > + if (compat)
> > + return p->compat_robust_list;
> > +#endif
> > + return p->robust_list;
> > +}
> > +
> > +static void __user *get_robust_list_common(int pid, bool compat)
>
> Same here
>
> > +{
> > + struct task_struct *p;
> > + void __user *head;
> > + unsigned long ret;
>
> down_read_killable() returns a int, but you are storing the return value
> in an unsigned long.
>
> > +
> > + p = current;
>
> Could this be initialized in the declaration?
>
> > +
> > + scoped_guard(rcu) {
> > + if (pid) {
> > + p = find_task_by_vpid(pid);
> > + if (!p)
> > + return (void __user *)ERR_PTR(-ESRCH);
> > + }
> > + get_task_struct(p);
> > + }
> > +
> > + /*
> > + * Hold exec_update_lock to serialize with concurrent exec()
> > + * so ptrace_may_access() is checked against stable credentials
> > + */
> > + ret = down_read_killable(&p->signal->exec_update_lock);
> > + if (ret)
> > + goto err_put;
> > +
> > + ret = -EPERM;
> > + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> > + goto err_unlock;
> > +
> > + head = task_robust_list(p, compat);
> > +
> > + up_read(&p->signal->exec_update_lock);
> > + put_task_struct(p);
> > +
> > + return head;
> > +
> > +err_unlock:
> > + up_read(&p->signal->exec_update_lock);
> > +err_put:
> > + put_task_struct(p);
> > + return (void __user *)ERR_PTR(ret);
> > +}
> > +
> > /**
> > * sys_get_robust_list() - Get the robust-futex list head of a task
> > * @pid: pid of the process [zero for current task]
> > @@ -49,36 +101,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
> > struct robust_list_head __user * __user *, head_ptr,
> > size_t __user *, len_ptr)
> > {
> > - struct robust_list_head __user *head;
> > - unsigned long ret;
> > - struct task_struct *p;
> > -
> > - rcu_read_lock();
> > -
> > - ret = -ESRCH;
> > - if (!pid)
> > - p = current;
> > - else {
> > - p = find_task_by_vpid(pid);
> > - if (!p)
> > - goto err_unlock;
> > - }
> > + struct robust_list_head __user *head = get_robust_list_common(pid, false);
> >
> > - ret = -EPERM;
> > - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> > - goto err_unlock;
> > -
> > - head = p->robust_list;
> > - rcu_read_unlock();
> > + if (IS_ERR(head))
> > + return PTR_ERR(head);
> >
> > if (put_user(sizeof(*head), len_ptr))
> > return -EFAULT;
> > return put_user(head, head_ptr);
> > -
> > -err_unlock:
> > - rcu_read_unlock();
> > -
> > - return ret;
> > }
> >
> > long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
> > @@ -455,36 +485,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
> > compat_uptr_t __user *, head_ptr,
> > compat_size_t __user *, len_ptr)
> > {
> > - struct compat_robust_list_head __user *head;
> > - unsigned long ret;
> > - struct task_struct *p;
> > -
> > - rcu_read_lock();
> > -
> > - ret = -ESRCH;
> > - if (!pid)
> > - p = current;
> > - else {
> > - p = find_task_by_vpid(pid);
> > - if (!p)
> > - goto err_unlock;
> > - }
> > -
> > - ret = -EPERM;
> > - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> > - goto err_unlock;
> > + struct compat_robust_list_head __user *head = get_robust_list_common(pid, true);
> >
> > - head = p->compat_robust_list;
> > - rcu_read_unlock();
> > + if (IS_ERR(head))
> > + return PTR_ERR(head);
> >
> > if (put_user(sizeof(*head), len_ptr))
> > return -EFAULT;
> > return put_user(ptr_to_compat(head), head_ptr);
> > -
> > -err_unlock:
> > - rcu_read_unlock();
> > -
> > - return ret;
> > }
> > #endif /* CONFIG_COMPAT */
> >
>
Hi André,
Thanks for the feedback. I will make all the changes as per your observations
and send a v5.
Regards
Pranav Tyagi
On Wed, Aug 13, 2025 at 1:12 PM Pranav Tyagi <pranav.tyagi03@gmail.com> wrote:
>
> sys_get_robust_list() and compat_get_robust_list() use
> ptrace_may_access() to check if the calling task is allowed to access
> another task's robust_list pointer. This check is racy against a
> concurrent exec() in the target process.
>
> During exec(), a task may transition from a non-privileged binary to a
> privileged one (e.g., setuid binary) and its credentials/memory mappings
> may change. If get_robust_list() performs ptrace_may_access() before
> this transition, it may erroneously allow access to sensitive information
> after the target becomes privileged.
>
> A racy access allows an attacker to exploit a window
> during which ptrace_may_access() passes before a target process
> transitions to a privileged state via exec().
>
> For example, consider a non-privileged task T that is about to execute a
> setuid-root binary. An attacker task A calls get_robust_list(T) while T
> is still unprivileged. Since ptrace_may_access() checks permissions
> based on current credentials, it succeeds. However, if T begins exec
> immediately afterwards, it becomes privileged and may change its memory
> mappings. Because get_robust_list() proceeds to access T->robust_list
> without synchronizing with exec() it may read user-space pointers from a
> now-privileged process.
>
> This violates the intended post-exec access restrictions and could
> expose sensitive memory addresses or be used as a primitive in a larger
> exploit chain. Consequently, the race can lead to unauthorized
> disclosure of information across privilege boundaries and poses a
> potential security risk.
>
> Take a read lock on signal->exec_update_lock prior to invoking
> ptrace_may_access() and accessing the robust_list/compat_robust_list.
> This ensures that the target task's exec state remains stable during the
> check, allowing for consistent and synchronized validation of
> credentials.
>
> Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> Suggested-by: Jann Horn <jann@thejh.net>
> Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
> Link: https://github.com/KSPP/linux/issues/119
> ---
> changed in v4:
> - added task_robust_list() function
> changed in v3:
> - replaced RCU with scoped_guard(rcu)
> - corrected error return type cast
> - added IS_ENABLED(CONFIG_COMPAT) for ensuring compatability
> - removed stray newlines and unnecessary line breaks
> changed in v2:
> - improved changelog
> - helper function for common part of compat and native syscalls
>
> kernel/futex/syscalls.c | 108 +++++++++++++++++++++-------------------
> 1 file changed, 58 insertions(+), 50 deletions(-)
>
> diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
> index 4b6da9116aa6..0da33abc2f17 100644
> --- a/kernel/futex/syscalls.c
> +++ b/kernel/futex/syscalls.c
> @@ -39,6 +39,58 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
> return 0;
> }
>
> +static inline void __user *task_robust_list(struct task_struct *p, bool compat)
> +{
> +#ifdef CONFIG_COMPAT
> + if (compat)
> + return p->compat_robust_list;
> +#endif
> + return p->robust_list;
> +}
> +
> +static void __user *get_robust_list_common(int pid, bool compat)
> +{
> + struct task_struct *p;
> + void __user *head;
> + unsigned long ret;
> +
> + p = current;
> +
> + scoped_guard(rcu) {
> + if (pid) {
> + p = find_task_by_vpid(pid);
> + if (!p)
> + return (void __user *)ERR_PTR(-ESRCH);
> + }
> + get_task_struct(p);
> + }
> +
> + /*
> + * Hold exec_update_lock to serialize with concurrent exec()
> + * so ptrace_may_access() is checked against stable credentials
> + */
> + ret = down_read_killable(&p->signal->exec_update_lock);
> + if (ret)
> + goto err_put;
> +
> + ret = -EPERM;
> + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> + goto err_unlock;
> +
> + head = task_robust_list(p, compat);
> +
> + up_read(&p->signal->exec_update_lock);
> + put_task_struct(p);
> +
> + return head;
> +
> +err_unlock:
> + up_read(&p->signal->exec_update_lock);
> +err_put:
> + put_task_struct(p);
> + return (void __user *)ERR_PTR(ret);
> +}
> +
> /**
> * sys_get_robust_list() - Get the robust-futex list head of a task
> * @pid: pid of the process [zero for current task]
> @@ -49,36 +101,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
> struct robust_list_head __user * __user *, head_ptr,
> size_t __user *, len_ptr)
> {
> - struct robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> + struct robust_list_head __user *head = get_robust_list_common(pid, false);
>
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> -
> - head = p->robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(head, head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
>
> long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
> @@ -455,36 +485,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
> compat_uptr_t __user *, head_ptr,
> compat_size_t __user *, len_ptr)
> {
> - struct compat_robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> -
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> + struct compat_robust_list_head __user *head = get_robust_list_common(pid, true);
>
> - head = p->compat_robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(ptr_to_compat(head), head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
> #endif /* CONFIG_COMPAT */
>
> --
> 2.49.0
>
Hi,
Gentle ping. I am looking forward to any suggestions on this patch and
would be more than happy to make any necessary changes.
Regards
Pranav Tyagi
On Wed, Aug 13, 2025 at 1:12 PM Pranav Tyagi <pranav.tyagi03@gmail.com> wrote:
>
> sys_get_robust_list() and compat_get_robust_list() use
> ptrace_may_access() to check if the calling task is allowed to access
> another task's robust_list pointer. This check is racy against a
> concurrent exec() in the target process.
>
> During exec(), a task may transition from a non-privileged binary to a
> privileged one (e.g., setuid binary) and its credentials/memory mappings
> may change. If get_robust_list() performs ptrace_may_access() before
> this transition, it may erroneously allow access to sensitive information
> after the target becomes privileged.
>
> A racy access allows an attacker to exploit a window
> during which ptrace_may_access() passes before a target process
> transitions to a privileged state via exec().
>
> For example, consider a non-privileged task T that is about to execute a
> setuid-root binary. An attacker task A calls get_robust_list(T) while T
> is still unprivileged. Since ptrace_may_access() checks permissions
> based on current credentials, it succeeds. However, if T begins exec
> immediately afterwards, it becomes privileged and may change its memory
> mappings. Because get_robust_list() proceeds to access T->robust_list
> without synchronizing with exec() it may read user-space pointers from a
> now-privileged process.
>
> This violates the intended post-exec access restrictions and could
> expose sensitive memory addresses or be used as a primitive in a larger
> exploit chain. Consequently, the race can lead to unauthorized
> disclosure of information across privilege boundaries and poses a
> potential security risk.
>
> Take a read lock on signal->exec_update_lock prior to invoking
> ptrace_may_access() and accessing the robust_list/compat_robust_list.
> This ensures that the target task's exec state remains stable during the
> check, allowing for consistent and synchronized validation of
> credentials.
>
> Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> Suggested-by: Jann Horn <jann@thejh.net>
> Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/
> Link: https://github.com/KSPP/linux/issues/119
> ---
> changed in v4:
> - added task_robust_list() function
> changed in v3:
> - replaced RCU with scoped_guard(rcu)
> - corrected error return type cast
> - added IS_ENABLED(CONFIG_COMPAT) for ensuring compatability
> - removed stray newlines and unnecessary line breaks
> changed in v2:
> - improved changelog
> - helper function for common part of compat and native syscalls
>
> kernel/futex/syscalls.c | 108 +++++++++++++++++++++-------------------
> 1 file changed, 58 insertions(+), 50 deletions(-)
>
> diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
> index 4b6da9116aa6..0da33abc2f17 100644
> --- a/kernel/futex/syscalls.c
> +++ b/kernel/futex/syscalls.c
> @@ -39,6 +39,58 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,
> return 0;
> }
>
> +static inline void __user *task_robust_list(struct task_struct *p, bool compat)
> +{
> +#ifdef CONFIG_COMPAT
> + if (compat)
> + return p->compat_robust_list;
> +#endif
> + return p->robust_list;
> +}
> +
> +static void __user *get_robust_list_common(int pid, bool compat)
> +{
> + struct task_struct *p;
> + void __user *head;
> + unsigned long ret;
> +
> + p = current;
> +
> + scoped_guard(rcu) {
> + if (pid) {
> + p = find_task_by_vpid(pid);
> + if (!p)
> + return (void __user *)ERR_PTR(-ESRCH);
> + }
> + get_task_struct(p);
> + }
> +
> + /*
> + * Hold exec_update_lock to serialize with concurrent exec()
> + * so ptrace_may_access() is checked against stable credentials
> + */
> + ret = down_read_killable(&p->signal->exec_update_lock);
> + if (ret)
> + goto err_put;
> +
> + ret = -EPERM;
> + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> + goto err_unlock;
> +
> + head = task_robust_list(p, compat);
> +
> + up_read(&p->signal->exec_update_lock);
> + put_task_struct(p);
> +
> + return head;
> +
> +err_unlock:
> + up_read(&p->signal->exec_update_lock);
> +err_put:
> + put_task_struct(p);
> + return (void __user *)ERR_PTR(ret);
> +}
> +
> /**
> * sys_get_robust_list() - Get the robust-futex list head of a task
> * @pid: pid of the process [zero for current task]
> @@ -49,36 +101,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
> struct robust_list_head __user * __user *, head_ptr,
> size_t __user *, len_ptr)
> {
> - struct robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> + struct robust_list_head __user *head = get_robust_list_common(pid, false);
>
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> -
> - head = p->robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(head, head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
>
> long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
> @@ -455,36 +485,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
> compat_uptr_t __user *, head_ptr,
> compat_size_t __user *, len_ptr)
> {
> - struct compat_robust_list_head __user *head;
> - unsigned long ret;
> - struct task_struct *p;
> -
> - rcu_read_lock();
> -
> - ret = -ESRCH;
> - if (!pid)
> - p = current;
> - else {
> - p = find_task_by_vpid(pid);
> - if (!p)
> - goto err_unlock;
> - }
> -
> - ret = -EPERM;
> - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
> - goto err_unlock;
> + struct compat_robust_list_head __user *head = get_robust_list_common(pid, true);
>
> - head = p->compat_robust_list;
> - rcu_read_unlock();
> + if (IS_ERR(head))
> + return PTR_ERR(head);
>
> if (put_user(sizeof(*head), len_ptr))
> return -EFAULT;
> return put_user(ptr_to_compat(head), head_ptr);
> -
> -err_unlock:
> - rcu_read_unlock();
> -
> - return ret;
> }
> #endif /* CONFIG_COMPAT */
>
> --
> 2.49.0
>
Hi,
This is a gentle follow-up on this patch. Please let me know if any further
changes are required.
Regards
Pranav Tyagi
© 2016 - 2025 Red Hat, Inc.