Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 09 Jun 2026 19:17:33 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 3ac9726c4269 - stable/15 - linux: Correct the issetugid check in copyout_auxargs
Message-ID:  <6a2866cd.3cd76.55b07417@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=3ac9726c42693822c538367fd80f45b606a59ddf

commit 3ac9726c42693822c538367fd80f45b606a59ddf
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-29 21:41:35 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-09 19:15:24 +0000

    linux: Correct the issetugid check in copyout_auxargs
    
    The runtime linker in glibc relies on the AT_SECURE auxv entry to know
    whether the executable is set-ugid, if so then various dangerous
    functionality such as LD_PRELOAD is disabled.
    
    The check added in commit 669414e4fb74 failed to take into account the
    fact that during execve, P_SUGID may not yet be set for a set-ugid
    process.  Correct the test.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:30.linux
    Security:       CVE-2026-49413
    Reported by:    Minseong Kim
    Fixes:          669414e4fb74 ("Implement AT_SECURE properly.")
    Reviewed by:    kib
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D57350
---
 sys/compat/linux/linux_elf.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c
index c9eb6aea8373..6c9f785c97e7 100644
--- a/sys/compat/linux/linux_elf.c
+++ b/sys/compat/linux/linux_elf.c
@@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base)
 	struct thread *td = curthread;
 	Elf_Auxargs *args;
 	Elf_Auxinfo *aarray, *pos;
-	struct proc *p;
 	int error, issetugid;
 
-	p = imgp->proc;
-	issetugid = p->p_flag & P_SUGID ? 1 : 0;
+	issetugid = imgp->credential_setid ? 1 : 0;
 	args = imgp->auxargs;
 	aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP,
 	    M_WAITOK | M_ZERO);
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a2866cd.3cd76.55b07417>