| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250430112033.GA9277@redhat.com> Date: Wed, 30 Apr 2025 13:20:33 +0200 From: Oleg Nesterov <oleg@...hat.com> To: Michal Hocko <mhocko@...e.com> Cc: cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec On 04/30, Michal Hocko wrote: > > Based on a follow up update from Oleg[1] I would like to dispute this > CVE. Agreed. Let me quote my reply to my "fix", see https://lore.kernel.org/all/20250429154944.GA18907@redhat.com/ Damn, I am stupid. On 03/24, Oleg Nesterov wrote: > > check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve() > paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it > fails we have the following race: > > T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex > > T2 sets fs->in_exec = 1 > > T1 clears fs->in_exec When I look at this code again, I think this race was not possible and thus this patch (applied as af7bb0d2ca45) was not needed. Yes, begin_new_exec() can drop cred_guard_mutex on failure, but only after de_thread() succeeds, when we can't race with another sub-thread. I hope this patch didn't make the things worse so we don't need to revert it. Plus I think it makes this (confusing) logic a bit more clear. Just, unless I am confused again, it wasn't really needed. Sorry for the confusion caused by my patch :/ Oleg.
Powered by blists - more mailing lists