From nobody Mon Jun 1 15:25:14 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gTd7Z4S0Lz6gBS7 for ; Mon, 01 Jun 2026 15:25:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gTd7Z3hh0z3pSs for ; Mon, 01 Jun 2026 15:25:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780327514; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=54aVU2aI3U+Gfzn1K63MmeGpks/Oa7LgUrwn4/nEJ64=; b=dpgG4yp7jCm/pJVzC4gMTksgyjsUyFwWrUUkbremGDdmGyfR5EJpLalQAH0VfHN8f+zj/e 6yRCRIhCvDX+kc1VIdtEHTlSp6oHYhRzU9JlOKpkzRKFkM3C24+pfNks1k/tqxJDuT1Kwy DiekVx7Nvm/aFCxPd5X7rdBhQyPDz/Dgd82kWh7ettttY0tXUrew9RFo2vo3CkO6Ul+KIQ vyyl40lHa3N0IN1t2gO1dnDgAjY4yfJszSo4cnGFU4nZPyJjcdjJZbH96LMhM5BSf6aCMX 8Jkf0rHVUXnFCfgRVCP0wCi5H/MfL2IXc6Le2/1tiSmvE8jWygSHfnR8Iy4jmQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780327514; a=rsa-sha256; cv=none; b=UlGscgjjgwMRA8HuBp3ZRryVQkeoMl9ECnd5rm34XBSlv3eR7eNbObXbXZrfwE6wqP/Nha nQH7dXADEb5Gn9WnVvNWNsTwQgr/b6alUqGIxIshcrOxWPMkuv6rscpwTL3uyXm5Olxqwa W3U9eTI6UMZ+KvD208uOYr9Gz2r6S/TiXdcwmcH9tSvTOlcfIwCbMUGNH5qqXyfCF0vBN2 PpvahLvBSFp5rggn2HTg8A8azV3gsWBjVNBCdDxmnE5U+kIpA0GuzG4FpIOMnHEY3jzjK+ GblKs+YbeZVcLK8O0Q9wTRPWhFQ4qZNlPT7xNATueDeWhXjYzPcABlB9L43hFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780327514; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=54aVU2aI3U+Gfzn1K63MmeGpks/Oa7LgUrwn4/nEJ64=; b=hu3fHLjdj/HQjx2Ta7A1xCYPhPToBffvIGK2xgE+fwlyG2Z3HjZZcLjH10vy+syogmL9Nx yUC3g8Yt8Bu6qEO+bRN5HSrm9FcHZAwzdHn8Ks0BeSI6bqFkmtZAPRIHc5J3qCYWeXqp4n Mk5fP1GVr6BlvyJZTVEkY7CjYAgFrcgpB0MNHujZrEUrkZgAAHOiu6CnZTCYJFl998Te1H +77D/iQ5P/9ynv8mAbtyo3ebUW+CuZC5CBiM3PmUiL1ONvkqqXeL2KBdOia4oXQROnlEvI Txob49AbHX3ozmmIcoSsCVPLEUSdq7tsMSN9OoOFA755G1j6jjpRzmJru9kSJQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gTd7Z3DqHzkSC for ; Mon, 01 Jun 2026 15:25:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3e1e4 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 01 Jun 2026 15:25:14 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 79d0dbc9c6d6 - main - MAC/do: Fix double-free on parse error after "executable paths" feature List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 79d0dbc9c6d6a1627c9f3eeab0633c232a6a0a34 Auto-Submitted: auto-generated Date: Mon, 01 Jun 2026 15:25:14 +0000 Message-Id: <6a1da45a.3e1e4.7438879@gitrepo.freebsd.org> The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=79d0dbc9c6d6a1627c9f3eeab0633c232a6a0a34 commit 79d0dbc9c6d6a1627c9f3eeab0633c232a6a0a34 Author: Olivier Certner AuthorDate: 2026-06-01 08:52:16 +0000 Commit: Olivier Certner CommitDate: 2026-06-01 15:23:51 +0000 MAC/do: Fix double-free on parse error after "executable paths" feature parse_rules() has been calling toast_rules() in case of a parse error in order to deallocate the 'struct rule' objects it has constructed up to that point. toast_rules() would take a pointer to a full 'struct rules' object, and besides freeing all 'struct rule' referenced by it, would also free the holding 'struct rules' itself. With the introduction of the "executable paths" feature, and the embedding of 'struct rules' into 'struct conf', meaning that the lifecycle for 'struct rules' was no longer independent, toast_rules() was changed not to free the passed 'struct rules' (as it was a field of a 'struct conf' object). Unfortunately, this change was not completed with a reinitialization of the rules list head, so the 'struct conf' object would continue to reference just-freed rules, which then would be freed a second time on destruction of that container. So, make toast_rules() re-initialize the rules list in 'struct rules', which it logically has been having to do since not freeing the enclosing 'struct rules'. This alone is enough to fix the bug, but let's use the occasion to change the contract of parse_rules() and bring its herald comment up-to-date: On error, parse_rules() now simply leaves already constructed 'struct rule' objects in 'conf'. The latter is eventually destroyed and the rule objects reclaimed at that point. Add a test trying to set an invalid rules configuration with the first rule being valid and the second being invalid, which triggers the bug (and an immediate panic() on an INVARIANTS kernel). Reported by: impost0r(ret2plt) Reviewed by: markj Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)") Sponsored by: The FreeBSD Foundation --- sys/security/mac_do/mac_do.c | 16 ++++++++-------- tests/sys/mac/do/invalid_configs.sh | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 93f2084d1c93..7bb3e2a150c5 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -390,6 +390,7 @@ toast_rules(struct rules *const rules) free(rule->gids, M_MAC_DO); free(rule, M_MAC_DO); } + STAILQ_INIT(head); } static inline void @@ -1071,13 +1072,13 @@ einval: /* * Parse rules specification and produce rule structures out of it. * - * Must be called with '*parse_error' set to NULL. Returns 0 on success, with - * '*rulesp' made to point to a 'struct rule' representing the rules. On error, - * the returned value is non-zero and '*rulesp' is unchanged. If 'string' has - * length greater or equal to MAX_RULE_STRING_SIZE, ENAMETOOLONG is returned. If - * it is not in the expected format, EINVAL is returned. If an error is - * returned, '*parse_error' is set to point to a 'struct parse_error' giving an - * error message for the problem. + * Must be called with '*parse_error' set to NULL. Returns 0 on success, + * filling the passed '*rules' with 'struct rule' objects. On error, the + * returned value is non-zero, and '*rules' may have been changed. If 'string' + * has length greater or equal to MAX_RULE_STRING_SIZE, ENAMETOOLONG is + * returned. If it is not in the expected format, EINVAL is returned. If an + * error is returned, '*parse_error' is set to point to a 'struct parse_error' + * giving an error message for the problem. * * Expected format: A >-colon-separated list of rules of the form * ">" (for backwards compatibility, a semi-colon ":" is accepted @@ -1123,7 +1124,6 @@ parse_rules(const char *const string, struct rules *const rules, error = parse_single_rule(rule, rules, parse_error); if (error != 0) { (*parse_error)->pos += rule - copy; - toast_rules(rules); goto error; } } diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh index d1a9eb8c1e96..91e38a0055c0 100644 --- a/tests/sys/mac/do/invalid_configs.sh +++ b/tests/sys/mac/do/invalid_configs.sh @@ -72,6 +72,19 @@ rules_wrong_separator_body() sysctl_set_and_check_fails_rules "uid=1001>gid=0:gid=1001>gid=5" } +# Added after observing a panic() in this situation because of a double-free +# after introduction of "exec_paths". +atf_test_case non_first_rule_unparseable +non_first_rule_unparseable_head() +{ + atf_set descr "Non-first rule wrong" +} + +non_first_rule_unparseable_body() +{ + sysctl_set_and_check_fails_rules "gid=1001>uid=0;hello" +} + atf_init_test_cases() { @@ -83,4 +96,5 @@ atf_init_test_cases() atf_add_test_case rule_user_names_fail atf_add_test_case rule_group_names_fail atf_add_test_case rules_wrong_separator + atf_add_test_case non_first_rule_unparseable }