Re: CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec

From: Greg Kroah-Hartman
Date: Thu May 01 2025 - 10:21:09 EST

Next message: Luca Weiss: "Re: [PATCH v3 2/5] ASoC: qcom: sm8250: set card driver name from match data"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH v2 net] net: lan743x: Fix memleak issue when GSO enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 30, 2025 at 01:20:33PM +0200, Oleg Nesterov wrote:
> On 04/30, Michal Hocko wrote:
> >
> > Based on a follow up update from Oleg[1] I would like to dispute this
> > CVE.
>
> Agreed. Let me quote my reply to my "fix", see
> https://lore.kernel.org/all/20250429154944.GA18907@xxxxxxxxxx/
>
> Damn, I am stupid.
>
> On 03/24, Oleg Nesterov wrote:
> >
> > check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
> > paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
> > fails we have the following race:
> >
> > T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex
> >
> > T2 sets fs->in_exec = 1
> >
> > T1 clears fs->in_exec
>
> When I look at this code again, I think this race was not possible and thus
> this patch (applied as af7bb0d2ca45) was not needed.
>
> Yes, begin_new_exec() can drop cred_guard_mutex on failure, but only after
> de_thread() succeeds, when we can't race with another sub-thread.
>
> I hope this patch didn't make the things worse so we don't need to revert it.
> Plus I think it makes this (confusing) logic a bit more clear. Just, unless
> I am confused again, it wasn't really needed.
>
> Sorry for the confusion caused by my patch :/

Sorry for the delay, the CVE is now rejected, thanks.

greg k-h

Next message: Luca Weiss: "Re: [PATCH v3 2/5] ASoC: qcom: sm8250: set card driver name from match data"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH v2 net] net: lan743x: Fix memleak issue when GSO enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]