Date: Fri, 19 Dec 2025 09:19:18 +0000 From: Olivier Certner <olce@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: cc16a07a8e8f - stable/14 - kern: Fix credentials leaks on RACCT but no RCTL Message-ID: <69451896.3f17b.51b15830@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=cc16a07a8e8fc4921e5072bff6263315918cf7bf commit cc16a07a8e8fc4921e5072bff6263315918cf7bf Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2025-10-29 16:46:39 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2025-12-19 09:16:47 +0000 kern: Fix credentials leaks on RACCT but no RCTL Affected system calls: setuid(), setreuid(), setresuid(), jail_attach(), setloginclass(). In these system calls, the crhold() calls that, on RACCT, make the just-installed process credentials survive a concurrent change of the same credentials just after PROC_UNLOCK() were not matched by a corresponding crfree() when RCTL is off. In fact, in that latter case, they are simply not necessary, so wrap them with '#ifdef RCTL' stances. 'kern_rctl.c' causes a compile error if RACCT is not defined but RCTL is, so ease reading by not nesting '#ifdef's. MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53456 (cherry picked from commit f4315ff8b3fee71eb0098864a84618f2f8ba85d5) --- sys/kern/kern_jail.c | 2 ++ sys/kern/kern_loginclass.c | 2 ++ sys/kern/kern_prot.c | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index c449aba9b56a..801424794eac 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -2705,6 +2705,8 @@ do_jail_attach(struct thread *td, struct prison *pr, int drflags) setsugid(p); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); diff --git a/sys/kern/kern_loginclass.c b/sys/kern/kern_loginclass.c index ceba563413df..f6070cae24d5 100644 --- a/sys/kern/kern_loginclass.c +++ b/sys/kern/kern_loginclass.c @@ -226,6 +226,8 @@ sys_setloginclass(struct thread *td, struct setloginclass_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index c3908c8e99c9..db7377ed9c9c 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -964,6 +964,8 @@ sys_setuid(struct thread *td, struct setuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); @@ -1342,6 +1344,8 @@ sys_setreuid(struct thread *td, struct setreuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); @@ -1488,6 +1492,8 @@ sys_setresuid(struct thread *td, struct setresuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p);help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69451896.3f17b.51b15830>