rpms/cifs-utils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

cifs.upcall: fix UAF in get_cachename_from_process_env()

Browse Source 
Resolves: RHEL-28047

Signed-off-by: Paulo Alcantara <paalcant@redhat.com>
This commit is contained in:
Paulo Alcantara 2024-04-12 13:16:22 -03:00
parent 9aaac0fb75
commit f5c9edcc8f
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cifs-utils.spec
View File

@ -3,7 +3,7 @@
Name: cifs-utils Name: cifs-utils
Version: 7.0 Version: 7.0
Release: 1%{pre_release}%{?dist} Release: 2%{pre_release}%{?dist}
Summary: Utilities for mounting and managing CIFS mounts Summary: Utilities for mounting and managing CIFS mounts
License: GPLv3 License: GPLv3
@ -21,6 +21,7 @@ Requires(preun): /usr/sbin/alternatives
Recommends: %{name}-info%{?_isa} = %{version}-%{release} Recommends: %{name}-info%{?_isa} = %{version}-%{release}
Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2 Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
Patch0: cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
%description %description
The SMB/CIFS protocol is a standard file sharing protocol widely deployed The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@ -53,6 +54,7 @@ provide these credentials to the kernel automatically at login.
%prep %prep
%setup -q -n %{name}-%{version}%{pre_release} %setup -q -n %{name}-%{version}%{pre_release}
%patch0 -p1
%build %build
fgrep -r -l '/usr/bin/env python' | xargs -n1 sed -i 's@/usr/bin/env python.*@%python3@g' fgrep -r -l '/usr/bin/env python' | xargs -n1 sed -i 's@/usr/bin/env python.*@%python3@g'
@ -124,6 +126,10 @@ about CIFS mount.
%{_mandir}/man1/smbinfo.* %{_mandir}/man1/smbinfo.*
%changelog %changelog
* Fri Apr 12 2024 Paulo Alcantara <paalcant@redhat.com> - 7.0-2
- cifs.upcall: fix UAF in get_cachename_from_process_env()
- Resolves: RHEL-28047
* Mon Jan 30 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1 * Mon Jan 30 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1
- Update to cifs-utils-7.0 - Update to cifs-utils-7.0
- Resolves: rhbz#2163303 - Resolves: rhbz#2163303

46
cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch Normal file
View File

@ -0,0 +1,46 @@
From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.com>
Date: Fri, 8 Mar 2024 12:06:15 -0300
Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env()
Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
end up being freed twice. For instance:
cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
pointer "buf" which has already been freed.
522| }
523| out_close:
524|-> free(buf);
525| close(fd);
526| return cachename;
Fix this by setting @buf to NULL after freeing it to prevent UAF.
Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
cifs.upcall.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 52c03280dbe0..ff6f2bd271bc 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -498,10 +498,11 @@ retry:
/* We read to the end of the buffer. Double and try again */
syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
__func__, bufsize);
- free(buf);
- bufsize *= 2;
if (lseek(fd, 0, SEEK_SET) < 0)
goto out_close;
+ free(buf);
+ buf = NULL;
+ bufsize *= 2;
goto retry;
}
--
2.44.0