Linux Kernel Race Condition Vulnerability in POSIX CPU Timers

A race condition vulnerability has been identified in the Linux kernel's handling of POSIX CPU timers. This issue arises when an exiting non-autoreaping task, after passing the exit_notify() stage, invokes handle_posix_cpu_timers() from an interrupt context. At this point, the task can be reaped by its parent or debugger just after the unlock_task_sighand() call. If a posix_cpu_timer_del() operation is executed concurrently, it may fail to recognize that the CPU timer is actively firing, due to the inability to properly lock the task's signal handler. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to improper handling of CPU timers, potentially causing tasks to be incorrectly reaped or timed out.

Reproduction

To reproduce this vulnerability, create a non-autoreaping task that passes the exit_notify() stage. From an interrupt context, have the task call handle_posix_cpu_timers(). While this is happening, initiate a concurrent posix_cpu_timer_del() operation on the same task. The race condition will occur if the posix_cpu_timer_del() operation fails to properly detect that the CPU timer is firing, allowing for incorrect task management.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.