Acknowledged
Created: Dec 10, 2025
Updated: Dec 12, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]futex: Don't leak robust_list pointer on exec race[EOL][EOL]sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()[EOL]to check if the calling task is allowed to access another task's[EOL]robust_list pointer. This check is racy against a concurrent exec() in the[EOL]target process.[EOL][EOL]During exec(), a task may transition from a non-privileged binary to a[EOL]privileged one (e.g., setuid binary) and its credentials/memory mappings[EOL]may change. If get_robust_list() performs ptrace_may_access() before[EOL]this transition, it may erroneously allow access to sensitive information[EOL]after the target becomes privileged.[EOL][EOL]A racy access allows an attacker to exploit a window during which[EOL]ptrace_may_access() passes before a target process transitions to a[EOL]privileged state via exec().[EOL][EOL]For example, consider a non-privileged task T that is about to execute a[EOL]setuid-root binary. An attacker task A calls get_robust_list(T) while T[EOL]is still unprivileged. Since ptrace_may_access() checks permissions[EOL]based on current credentials, it succeeds. However, if T begins exec[EOL]immediately afterwards, it becomes privileged and may change its memory[EOL]mappings. Because get_robust_list() proceeds to access T->robust_list[EOL]without synchronizing with exec() it may read user-space pointers from a[EOL]now-privileged process.[EOL][EOL]This violates the intended post-exec access restrictions and could[EOL]expose sensitive memory addresses or be used as a primitive in a larger[EOL]exploit chain. Consequently, the race can lead to unauthorized[EOL]disclosure of information across privilege boundaries and poses a[EOL]potential security risk.[EOL][EOL]Take a read lock on signal->exec_update_lock prior to invoking[EOL]ptrace_may_access() and accessing the robust_list/compat_robust_list.[EOL]This ensures that the target task's exec state remains stable during the[EOL]check, allowing for consistent and synchronized validation of[EOL]credentials.
