Author: kib
Date: Wed Jun 8 04:37:03 2016
New Revision: 301580
URL: https://svnweb.freebsd.org/changeset/base/301580
Log:
Old process credentials for setuid execve must not be dereferenced
when the process credentials were not changed. This can happen if an
error occured trying to activate the setuid binary. And on error, if
new credentials were not yet assigned, they must be freed to not
create the leak.
Use oldcred == NULL as the predicate to detect credential
reassignment.
Reported and tested by: pho
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/kern/kern_exec.c
Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c Wed Jun 8 04:18:57 2016 (r301579)
+++ head/sys/kern/kern_exec.c Wed Jun 8 04:37:03 2016 (r301580)
@@ -806,8 +806,11 @@ interpret:
/*
* Set the new credentials.
*/
- if (imgp->newcred != NULL)
+ if (imgp->newcred != NULL) {
proc_set_cred(p, imgp->newcred);
+ crfree(oldcred);
+ oldcred = NULL;
+ }
/*
* Store the vp for use in procfs. This vnode was referenced by namei
@@ -918,8 +921,9 @@ exec_fail:
SDT_PROBE1(proc, , , exec__failure, error);
}
- if (imgp->newcred != NULL)
- crfree(oldcred);
+ if (imgp->newcred != NULL && oldcred != NULL)
+ crfree(imgp->newcred);
+
#ifdef MAC
mac_execve_exit(imgp);
mac_execve_interpreter_exit(interpvplabel);
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
