cifs.upcall: fix UAF in get_cachename_from_process_env()

Resolves: RHEL-28047 Signed-off-by: Paulo Alcantara <paalcant@redhat.com>
2024-04-12 13:16:22 -03:00 · 2024-04-12 13:16:22 -03:00 · f5c9edcc8f
commit f5c9edcc8f
parent 9aaac0fb75
2 changed files with 53 additions and 1 deletions
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@ -3,7 +3,7 @@

 Name:            cifs-utils
 Version:         7.0
-Release:         1%{pre_release}%{?dist}
+Release:         2%{pre_release}%{?dist}
 Summary:         Utilities for mounting and managing CIFS mounts

 License:         GPLv3
@ -21,6 +21,7 @@ Requires(preun): /usr/sbin/alternatives
 Recommends: %{name}-info%{?_isa} = %{version}-%{release}

 Source0:         https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
+Patch0:          cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch

 %description
 The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@ -53,6 +54,7 @@ provide these credentials to the kernel automatically at login.

 %prep
 %setup -q -n %{name}-%{version}%{pre_release}
+%patch0 -p1

 %build
 fgrep -r -l '/usr/bin/env python' | xargs -n1 sed -i 's@/usr/bin/env python.*@%python3@g'
@ -124,6 +126,10 @@ about CIFS mount.
 %{_mandir}/man1/smbinfo.*

 %changelog
+* Fri Apr 12 2024 Paulo Alcantara <paalcant@redhat.com> - 7.0-2
+- cifs.upcall: fix UAF in get_cachename_from_process_env()
+- Resolves: RHEL-28047
+
 * Mon Jan 30 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1
 - Update to cifs-utils-7.0
 - Resolves: rhbz#2163303
--- a/cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
+++ b/cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
@ -0,0 +1,46 @@
+From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Fri, 8 Mar 2024 12:06:15 -0300
+Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env()
+
+Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
+end up being freed twice.  For instance:
+
+  cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
+  cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
+  pointer "buf" which has already been freed.
+    522|           }
+    523|   out_close:
+    524|->         free(buf);
+    525|           close(fd);
+    526|           return cachename;
+
+Fix this by setting @buf to NULL after freeing it to prevent UAF.
+
+Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+---
+ cifs.upcall.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 52c03280dbe0..ff6f2bd271bc 100644
+--- a/cifs.upcall.c
+++ b/cifs.upcall.c
+@@ -498,10 +498,11 @@ retry:
+ 		/* We read to the end of the buffer. Double and try again */
+ 		syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
+ 					__func__, bufsize);
+-		free(buf);
+-		bufsize *= 2;
+ 		if (lseek(fd, 0, SEEK_SET) < 0)
+ 			goto out_close;
+		free(buf);
+		buf = NULL;
+		bufsize *= 2;
+ 		goto retry;
+ 	}
+ 
+-- 
+2.44.0
+