diff --git a/cifs-utils.spec b/cifs-utils.spec index 6028994..32e1711 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -3,7 +3,7 @@ Name: cifs-utils Version: 7.0 -Release: 1%{pre_release}%{?dist} +Release: 2%{pre_release}%{?dist} Summary: Utilities for mounting and managing CIFS mounts License: GPLv3 @@ -21,6 +21,7 @@ Requires(preun): /usr/sbin/alternatives Recommends: %{name}-info%{?_isa} = %{version}-%{release} Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2 +Patch0: cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch %description The SMB/CIFS protocol is a standard file sharing protocol widely deployed @@ -53,6 +54,7 @@ provide these credentials to the kernel automatically at login. %prep %setup -q -n %{name}-%{version}%{pre_release} +%patch0 -p1 %build fgrep -r -l '/usr/bin/env python' | xargs -n1 sed -i 's@/usr/bin/env python.*@%python3@g' @@ -124,6 +126,10 @@ about CIFS mount. %{_mandir}/man1/smbinfo.* %changelog +* Fri Apr 12 2024 Paulo Alcantara - 7.0-2 +- cifs.upcall: fix UAF in get_cachename_from_process_env() +- Resolves: RHEL-28047 + * Mon Jan 30 2023 Pavel Filipenský - 7.0-1 - Update to cifs-utils-7.0 - Resolves: rhbz#2163303 diff --git a/cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch b/cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch new file mode 100644 index 0000000..156ff46 --- /dev/null +++ b/cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch @@ -0,0 +1,46 @@ +From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 8 Mar 2024 12:06:15 -0300 +Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env() + +Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would +end up being freed twice. For instance: + + cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf". + cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees + pointer "buf" which has already been freed. + 522| } + 523| out_close: + 524|-> free(buf); + 525| close(fd); + 526| return cachename; + +Fix this by setting @buf to NULL after freeing it to prevent UAF. + +Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc//environ file") +Signed-off-by: Paulo Alcantara (Red Hat) +--- + cifs.upcall.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 52c03280dbe0..ff6f2bd271bc 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -498,10 +498,11 @@ retry: + /* We read to the end of the buffer. Double and try again */ + syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n", + __func__, bufsize); +- free(buf); +- bufsize *= 2; + if (lseek(fd, 0, SEEK_SET) < 0) + goto out_close; ++ free(buf); ++ buf = NULL; ++ bufsize *= 2; + goto retry; + } + +-- +2.44.0 +