Date: Mon, 26 Feb 2024 19:35:31 +0100 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Emmanuel Vadot <manu@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 6e69612d5df1 - main - pam: Add pam_xdg module Message-ID: <20240226183531.WAZIpBUq@steffen%sdaoden.eu> In-Reply-To: <2zwthawswhf5surxumjhhmvqpg6bauwl7ucog5kv3d33bej4ai@tpqxvtitsnt4> References: <202402261735.41QHZvL1027958@gitrepo.freebsd.org> <2zwthawswhf5surxumjhhmvqpg6bauwl7ucog5kv3d33bej4ai@tpqxvtitsnt4>
next in thread | previous in thread | raw e-mail | index | archive | help
Shawn Webb wrote in
<2zwthawswhf5surxumjhhmvqpg6bauwl7ucog5kv3d33bej4ai@tpqxvtitsnt4>:
...
|> + /* Setup the session count file */
|> + for (i = 0; i < XDG_MAX_SESSION; i++) {
|> + asprintf(&xdg_session_file, "%s/xdg_session.%d", user, i);
|
|If asprintf fails, xdg_session_file will be NULL.
|
|> + printf("Trying to open %s\n", xdg_session_file);
|> + session_file = openat(rt_dir_prefix, xdg_session_file, \
|> O_CREAT | O_EXCL, RUNTIME_DIR_MODE);
|
|If xdg_session_file is NULL, there is a NULL pointer dereference
|vulnerability in the above call to openat(2).
|
|> + free(xdg_session_file);
|> + if (session_file >= 0)
|> + break;
|
|Thanks,
I want to point out again that unless process reaper is handled
alongside, PAM sessions are a fragile thing that can be left as
easily as "sleep 5 </dev/null >/dev/null 2>&1 &" in a shell.
Unfortunately noone cares, but all go systemd, which does all of
that.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240226183531.WAZIpBUq>