ghsa-r7m4-wpp2-9f3x
Vulnerability from github
Published
2025-11-13 00:30
Modified
2025-11-13 00:30
Details

In the Linux kernel, the following vulnerability has been resolved:

kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths

The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken.

sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct.

Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock().

Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40201"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T22:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64()-\u003edo_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk-\u003egroup_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n-\u003egroup_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n-\u003egroup_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don\u0027t see a better fix for -stable.",
  "id": "GHSA-r7m4-wpp2-9f3x",
  "modified": "2025-11-13T00:30:18Z",
  "published": "2025-11-13T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40201"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.