Date: Wed, 8 Jun 2016 04:37:03 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301580 - head/sys/kern Message-ID: <201606080437.u584b3Pj031546@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Wed Jun 8 04:37:03 2016 New Revision: 301580 URL: https://svnweb.freebsd.org/changeset/base/301580 Log: Old process credentials for setuid execve must not be dereferenced when the process credentials were not changed. This can happen if an error occured trying to activate the setuid binary. And on error, if new credentials were not yet assigned, they must be freed to not create the leak. Use oldcred == NULL as the predicate to detect credential reassignment. Reported and tested by: pho Sponsored by: The FreeBSD Foundation Modified: head/sys/kern/kern_exec.c Modified: head/sys/kern/kern_exec.c ============================================================================== --- head/sys/kern/kern_exec.c Wed Jun 8 04:18:57 2016 (r301579) +++ head/sys/kern/kern_exec.c Wed Jun 8 04:37:03 2016 (r301580) @@ -806,8 +806,11 @@ interpret: /* * Set the new credentials. */ - if (imgp->newcred != NULL) + if (imgp->newcred != NULL) { proc_set_cred(p, imgp->newcred); + crfree(oldcred); + oldcred = NULL; + } /* * Store the vp for use in procfs. This vnode was referenced by namei @@ -918,8 +921,9 @@ exec_fail: SDT_PROBE1(proc, , , exec__failure, error); } - if (imgp->newcred != NULL) - crfree(oldcred); + if (imgp->newcred != NULL && oldcred != NULL) + crfree(imgp->newcred); + #ifdef MAC mac_execve_exit(imgp); mac_execve_interpreter_exit(interpvplabel);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606080437.u584b3Pj031546>