Re: CVE Request -- kernel: futex: clear robust_list on execve

[Solar Designer <solar () openwall com>]

Petr, all -

On Tue, May 08, 2012 at 04:08:17AM +0400, Solar Designer wrote:
> Indeed, execve() may make the new process relatively privileged (SUID,
> SGID, fscaps), and thus being able to write into its memory is a
> security issue.  However, it appears that robust_list (and its compat
> counterpart) is only used for such writes when the process itself is
> exiting (with the aim being to notify other threads sharing the same
> mm).  If so, the question is whether and how writes into an exiting
> process' memory may be exploited.  We're already in do_exit() at this
> point, and it's just a few lines before we detach from and likely
> destroy the mm.  Well, if that process itself is multi-threaded (and
> other threads are not exiting yet), it possibly can be exploited
> (through affecting those other threads).

https://bugzilla.redhat.com/show_bug.cgi?id=771764#c4 describes that the
bug was inadvertently triggered in normal usage of certain programs, and
how it was rather difficult to figure out.  My question is: was exit of
a multi-threaded program involved and relevant?  If not, then there must
be something wrong with my reasoning, because I don't currently see how
the bug may otherwise have visible consequences.

Alexander