Old process credentials for setuid execve must not be dereferenced

when the process credentials were not changed. This can happen if an error occured trying to activate the setuid binary. And on error, if new credentials were not yet assigned, they must be freed to not create the leak. Use oldcred == NULL as the predicate to detect credential reassignment. Reported and tested by: pho Sponsored by: The FreeBSD Foundation
svn path=/head/; revision=301580
2016-06-08 04:37:03 +00:00 · 2016-06-08 04:37:03 +00:00 · 3fc292d56b · 2020-12-20 02:59:44 +00:00
commit 3fc292d56b
parent a9254de740
1 changed files with 7 additions and 3 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -806,8 +806,11 @@ do_execve(td, args, mac_p)
 	/*
 	 * Set the new credentials.
 	 */
-	if (imgp->newcred != NULL)
+	if (imgp->newcred != NULL) {
 		proc_set_cred(p, imgp->newcred);
+		crfree(oldcred);
+		oldcred = NULL;
+	}

 	/*
 	 * Store the vp for use in procfs.  This vnode was referenced by namei
@ -918,8 +921,9 @@ do_execve(td, args, mac_p)
 		SDT_PROBE1(proc, , , exec__failure, error);
 	}

-	if (imgp->newcred != NULL)
-		crfree(oldcred);
+	if (imgp->newcred != NULL && oldcred != NULL)
+		crfree(imgp->newcred);
+
 #ifdef MAC
 	mac_execve_exit(imgp);
 	mac_execve_interpreter_exit(interpvplabel);