From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001 From: Paulo Alcantara Date: Fri, 8 Mar 2024 12:06:15 -0300 Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env() Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would end up being freed twice. For instance: cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf". cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees pointer "buf" which has already been freed. 522| } 523| out_close: 524|-> free(buf); 525| close(fd); 526| return cachename; Fix this by setting @buf to NULL after freeing it to prevent UAF. Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc//environ file") Signed-off-by: Paulo Alcantara (Red Hat) --- cifs.upcall.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cifs.upcall.c b/cifs.upcall.c index 52c03280dbe0..ff6f2bd271bc 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -498,10 +498,11 @@ retry: /* We read to the end of the buffer. Double and try again */ syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n", __func__, bufsize); - free(buf); - bufsize *= 2; if (lseek(fd, 0, SEEK_SET) < 0) goto out_close; + free(buf); + buf = NULL; + bufsize *= 2; goto retry; } -- 2.44.0