packages/cifs-utils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cifs.upcall: fix UAF in get_cachename_from_process_env()

Browse Source
This commit is contained in:
liuh 2024-04-09 17:44:02 +08:00
parent 1deaa53eab
commit be4a54ba33
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch Normal file
View File

@ -0,0 +1,46 @@
From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.com>
Date: Fri, 8 Mar 2024 12:06:15 -0300
Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env()
Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
end up being freed twice. For instance:
cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
pointer "buf" which has already been freed.
522| }
523| out_close:
524|-> free(buf);
525| close(fd);
526| return cachename;
Fix this by setting @buf to NULL after freeing it to prevent UAF.
Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
cifs.upcall.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 52c0328..ff6f2bd 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -498,10 +498,11 @@ retry:
/* We read to the end of the buffer. Double and try again */
syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
__func__, bufsize);
- free(buf);
- bufsize *= 2;
if (lseek(fd, 0, SEEK_SET) < 0)
goto out_close;
+ free(buf);
+ buf = NULL;
+ bufsize *= 2;
goto retry;
}
--
2.34.1

6
cifs-utils.spec
View File

@ -1,6 +1,6 @@
Name: cifs-utils
Version: 7.0
Release: 1
Release: 2
Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem
License: GPLv3+
URL: http://linux-cifs.samba.org/cifs-utils/
@ -12,6 +12,7 @@ Provides: pam_cifscreds
Obsoletes: pam_cifscreds
Requires: keyutils
Patch0: 0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
%description
The in-kernel CIFS filesystem is generally the preferred method for mounting
@ -76,6 +77,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
%{_mandir}/man8/*
%changelog
* Tue Apr 9 2024 liuh <liuhuan01@kylinos.cn> - 7.0-2
- sync patch from community
* Sat Feb 11 2023 suweifeng <suweifeng1@huawei.com> - 7.0-1
- upgarde to version 7.0