d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Old process credentials for setuid execve must not be dereferenced

Browse Source 
when the process credentials were not changed.  This can happen if an
error occured trying to activate the setuid binary.  And on error, if
new credentials were not yet assigned, they must be freed to not
create the leak.

Use oldcred == NULL as the predicate to detect credential
reassignment.

Reported and tested by:	pho
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
kib 2016-06-08 04:37:03 +00:00
parent 910fd3b83d
commit ef4ada7b76
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys/kern/kern_exec.c
View File

@ -806,8 +806,11 @@ do_execve(td, args, mac_p)
/* /*
* Set the new credentials. * Set the new credentials.
*/ */
if (imgp->newcred != NULL) if (imgp->newcred != NULL) {
proc_set_cred(p, imgp->newcred); proc_set_cred(p, imgp->newcred);
crfree(oldcred);
oldcred = NULL;
}
/* /*
* Store the vp for use in procfs. This vnode was referenced by namei * Store the vp for use in procfs. This vnode was referenced by namei
@ -918,8 +921,9 @@ do_execve(td, args, mac_p)
SDT_PROBE1(proc, , , exec__failure, error); SDT_PROBE1(proc, , , exec__failure, error);
} }
if (imgp->newcred != NULL) if (imgp->newcred != NULL && oldcred != NULL)
crfree(oldcred); crfree(imgp->newcred);
#ifdef MAC #ifdef MAC
mac_execve_exit(imgp); mac_execve_exit(imgp);
mac_execve_interpreter_exit(interpvplabel); mac_execve_interpreter_exit(interpvplabel);