From ef4ada7b7665029bd2c1c35e80c1a18df361b214 Mon Sep 17 00:00:00 2001
From: kib <kib@FreeBSD.org>
Date: Wed, 8 Jun 2016 04:37:03 +0000
Subject: [PATCH] Old process credentials for setuid execve must not be
 dereferenced when the process credentials were not changed.  This can happen
 if an error occured trying to activate the setuid binary.  And on error, if
 new credentials were not yet assigned, they must be freed to not create the
 leak.

Use oldcred == NULL as the predicate to detect credential
reassignment.

Reported and tested by:	pho
Sponsored by:	The FreeBSD Foundation
---
 sys/kern/kern_exec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index d2de3c8d2f83..63d855d3ceea 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -806,8 +806,11 @@ do_execve(td, args, mac_p)
 	/*
 	 * Set the new credentials.
 	 */
-	if (imgp->newcred != NULL)
+	if (imgp->newcred != NULL) {
 		proc_set_cred(p, imgp->newcred);
+		crfree(oldcred);
+		oldcred = NULL;
+	}
 
 	/*
 	 * Store the vp for use in procfs.  This vnode was referenced by namei
@@ -918,8 +921,9 @@ do_execve(td, args, mac_p)
 		SDT_PROBE1(proc, , , exec__failure, error);
 	}
 
-	if (imgp->newcred != NULL)
-		crfree(oldcred);
+	if (imgp->newcred != NULL && oldcred != NULL)
+		crfree(imgp->newcred);
+
 #ifdef MAC
 	mac_execve_exit(imgp);
 	mac_execve_interpreter_exit(interpvplabel);