)]}'
{
  "commit": "ba73fa7fea97f67245b4aea7bfb5328dff53f188",
  "tree": "6f56282fdab67c2e8def6c32c67a6f07fcbf00b8",
  "parents": [
    "78ec6c3111487c45bda96ce1aecf056f9df67017"
  ],
  "author": {
    "name": "Pranav Tyagi",
    "email": "pranav.tyagi03@gmail.com",
    "time": "Mon Sep 15 23:51:54 2025 +0530"
  },
  "committer": {
    "name": "Daniel Velasquez",
    "email": "rdvelasquez@google.com",
    "time": "Fri Dec 12 13:41:51 2025 -0800"
  },
  "message": "futex: Don\u0027t leak robust_list pointer on exec race\n\n[ Upstream commit 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 ]\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task\u0027s\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task\u0027s exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials.\n\nBUG\u003db/467363716\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2025-40341 in the Linux kernel.\n\ncos-patch: security-moderate\nSuggested-by: Jann Horn \u003cjann@thejh.net\u003e\nChange-Id: I6b99ebcbc800522baa5e70930bbb47ca73a67b7b\nSigned-off-by: Pranav Tyagi \u003cpranav.tyagi03@gmail.com\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nLink: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann@thejh.net/\nLink: https://github.com/KSPP/linux/issues/119\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/121561\nReviewed-by: Angel Adetula \u003cangeladetula@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Daniel Velasquez \u003crdvelasquez@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "6af241bd9fa3d37cfe6d4e4377dee3ba73dcfa45",
      "old_mode": 33188,
      "old_path": "kernel/futex/syscalls.c",
      "new_id": "5ab29a87bb043f3910d98f0224650cc2794da797",
      "new_mode": 33188,
      "new_path": "kernel/futex/syscalls.c"
    }
  ]
}