]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8661bb9) | patch
exec: fix the racy usage of fs_struct->in_exec
authorOleg Nesterov <oleg@redhat.com>
Mon, 24 Mar 2025 16:00:03 +0000 (17:00 +0100)
committerChristian Brauner <brauner@kernel.org>
Tue, 25 Mar 2025 13:59:05 +0000 (14:59 +0100)
commitaf7bb0d2ca459f15cb5ca604dab5d9af103643f0
tree4681876f8bf4c256905b50d781315b718922bdddtree
parent8661bb9c717a07b7636224339fe8818b65db6ddfcommit | diff
exec: fix the racy usage of fs_struct->in_exec

check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
fails we have the following race:

T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex

T2 sets fs->in_exec = 1

T1 clears fs->in_exec

T2 continues with fs->in_exec == 0

Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.

Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/
Cc: stable@vger.kernel.org
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
fs/exec.c diff | blob | blame | history
A mirror of Linus' kernel repository