From owner-svn-src-head@freebsd.org  Wed Jun  8 04:37:04 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B17F1B6F4F0;
 Wed,  8 Jun 2016 04:37:04 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7620B11A7;
 Wed,  8 Jun 2016 04:37:04 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u584b3LH031547;
 Wed, 8 Jun 2016 04:37:03 GMT (envelope-from kib@FreeBSD.org)
Received: (from kib@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u584b3Pj031546;
 Wed, 8 Jun 2016 04:37:03 GMT (envelope-from kib@FreeBSD.org)
Message-Id: <201606080437.u584b3Pj031546@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org
 using -f
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Wed, 8 Jun 2016 04:37:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r301580 - head/sys/kern
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2016 04:37:04 -0000

Author: kib
Date: Wed Jun  8 04:37:03 2016
New Revision: 301580
URL: https://svnweb.freebsd.org/changeset/base/301580

Log:
  Old process credentials for setuid execve must not be dereferenced
  when the process credentials were not changed.  This can happen if an
  error occured trying to activate the setuid binary.  And on error, if
  new credentials were not yet assigned, they must be freed to not
  create the leak.
  
  Use oldcred == NULL as the predicate to detect credential
  reassignment.
  
  Reported and tested by:	pho
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/kern_exec.c

Modified: head/sys/kern/kern_exec.c
==============================================================================
--- head/sys/kern/kern_exec.c	Wed Jun  8 04:18:57 2016	(r301579)
+++ head/sys/kern/kern_exec.c	Wed Jun  8 04:37:03 2016	(r301580)
@@ -806,8 +806,11 @@ interpret:
 	/*
 	 * Set the new credentials.
 	 */
-	if (imgp->newcred != NULL)
+	if (imgp->newcred != NULL) {
 		proc_set_cred(p, imgp->newcred);
+		crfree(oldcred);
+		oldcred = NULL;
+	}
 
 	/*
 	 * Store the vp for use in procfs.  This vnode was referenced by namei
@@ -918,8 +921,9 @@ exec_fail:
 		SDT_PROBE1(proc, , , exec__failure, error);
 	}
 
-	if (imgp->newcred != NULL)
-		crfree(oldcred);
+	if (imgp->newcred != NULL && oldcred != NULL)
+		crfree(imgp->newcred);
+
 #ifdef MAC
 	mac_execve_exit(imgp);
 	mac_execve_interpreter_exit(interpvplabel);