diff mbox series

cifs.upcall: fix UAF in get_cachename_from_process_env()

Message ID 20240308150615.339103-1-pc@manguebit.com (mailing list archive)
State New, archived
Headers show
Series cifs.upcall: fix UAF in get_cachename_from_process_env() | expand

Commit Message

Paulo Alcantara March 8, 2024, 3:06 p.m. UTC
Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
end up being freed twice.  For instance:

  cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
  cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
  pointer "buf" which has already been freed.
    522|           }
    523|   out_close:
    524|->         free(buf);
    525|           close(fd);
    526|           return cachename;

Fix this by setting @buf to NULL after freeing it to prevent UAF.

Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
 cifs.upcall.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Pavel Shilovsky March 26, 2024, 1:43 a.m. UTC | #1
Merged this and the other patch to the next branch. Thanks!
--
Best regards,
Pavel Shilovsky

пт, 8 мар. 2024 г. в 07:06, Paulo Alcantara <pc@manguebit.com>:
>
> Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
> end up being freed twice.  For instance:
>
>   cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
>   cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
>   pointer "buf" which has already been freed.
>     522|           }
>     523|   out_close:
>     524|->         free(buf);
>     525|           close(fd);
>     526|           return cachename;
>
> Fix this by setting @buf to NULL after freeing it to prevent UAF.
>
> Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> ---
>  cifs.upcall.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 52c03280dbe0..ff6f2bd271bc 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -498,10 +498,11 @@ retry:
>                 /* We read to the end of the buffer. Double and try again */
>                 syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
>                                         __func__, bufsize);
> -               free(buf);
> -               bufsize *= 2;
>                 if (lseek(fd, 0, SEEK_SET) < 0)
>                         goto out_close;
> +               free(buf);
> +               buf = NULL;
> +               bufsize *= 2;
>                 goto retry;
>         }
>
> --
> 2.44.0
>
diff mbox series

Patch

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 52c03280dbe0..ff6f2bd271bc 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -498,10 +498,11 @@  retry:
 		/* We read to the end of the buffer. Double and try again */
 		syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
 					__func__, bufsize);
-		free(buf);
-		bufsize *= 2;
 		if (lseek(fd, 0, SEEK_SET) < 0)
 			goto out_close;
+		free(buf);
+		buf = NULL;
+		bufsize *= 2;
 		goto retry;
 	}