From c20758c060d051b97e1e926220f494b9553a0d3ff62d5b3925d99d9966817910 Mon Sep 17 00:00:00 2001 From: Paulo Alcantara Date: Mon, 9 Sep 2019 13:49:51 +0000 Subject: [PATCH] Accepting request 729475 from home:aaptel:cifs-utils-6.9 - Fix double-free in mount.cifs; (bsc#1149164). * add 0011-fix-doublefree.patch OBS-URL: https://build.opensuse.org/request/show/729475 OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/cifs-utils?expand=0&rev=175 --- 0011-fix-doublefree.patch | 78 +++++++++++++++++++++++++++++++++++++++ cifs-utils.changes | 6 +++ cifs-utils.spec | 2 + 3 files changed, 86 insertions(+) create mode 100644 0011-fix-doublefree.patch diff --git a/0011-fix-doublefree.patch b/0011-fix-doublefree.patch new file mode 100644 index 0000000..72379a8 --- /dev/null +++ b/0011-fix-doublefree.patch @@ -0,0 +1,78 @@ +From paulo@paulo.ac Thu Sep 5 18:49:35 2019 +From: " Paulo Alcantara (SUSE) " +To: ,, + +Cc: "Aurelien Aptel" +Subject: [PATCH] mount.cifs: Fix double-free issue when mounting with setuid root +Date: Thu, 5 Sep 2019 15:49:35 -0300 +Message-Id: <20190905184935.30694-1-paulo@paulo.ac> +Content-Transfer-Encoding: 8bit +Content-Type: text/plain +MIME-Version: 1.0 + +It can be easily reproduced with the following: + + # chmod +s `which mount.cifs` + # echo "//localhost/share /mnt cifs \ + users,username=foo,password=XXXX" >> /etc/fstab + # su - foo + $ mount /mnt + free(): double free detected in tcache 2 + Child process terminated abnormally. + +The problem was that check_fstab() already freed orgoptions pointer +and then we freed it again in main() function. + +Fixes: bf7f48f4c7dc ("mount.cifs.c: fix memory leaks in main func") +Signed-off-by: Paulo Alcantara (SUSE) +--- + mount.cifs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 7748d54aa814..2116fc803311 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -247,7 +247,6 @@ check_fstab(const char *progname, const char *mountpoint, const char *devname, + * set of options. We don't want to trust what the user + * gave us, so just take whatever is in /etc/fstab. + */ +- free(*options); + *options = strdup(mnt->mnt_opts); + return 0; + } +@@ -1762,6 +1761,7 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info, + const char *orig_dev, char *orgoptions) + { + int rc; ++ char *newopts = NULL; + + rc = drop_capabilities(0); + if (rc) +@@ -1773,10 +1773,11 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info, + + if (getuid()) { + rc = check_fstab(thisprogram, mountpoint, orig_dev, +- &orgoptions); ++ &newopts); + if (rc) + goto assemble_exit; + ++ orgoptions = newopts; + /* enable any default user mount flags */ + parsed_info->flags |= CIFS_SETUID_FLAGS; + } +@@ -1880,6 +1881,7 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info, + } + + assemble_exit: ++ free(newopts); + return rc; + } + +-- +2.23.0 + + + + diff --git a/cifs-utils.changes b/cifs-utils.changes index 0bce01f..225dbdb 100644 --- a/cifs-utils.changes +++ b/cifs-utils.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Sep 9 12:56:24 UTC 2019 - Aurelien Aptel + +- Fix double-free in mount.cifs; (bsc#1149164). + * add 0011-fix-doublefree.patch + ------------------------------------------------------------------- Thu Aug 15 16:50:29 UTC 2019 - Aurelien Aptel diff --git a/cifs-utils.spec b/cifs-utils.spec index 3ff7deb..f5aecaa 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -42,6 +42,7 @@ Patch6: 0007-smbinfo-add-bash-completion-support-for-getcompressi.patch Patch7: 0008-mount.cifs.c-fix-memory-leaks-in-main-func.patch Patch8: 0009-Zero-fill-the-allocated-memory-for-new-struct-cifs_n.patch Patch9: 0010-Zero-fill-the-allocated-memory-for-a-new-ACE.patch +Patch10: 0011-fix-doublefree.patch # cifs-utils 6.8 switched to python for man page generation # we need to require either py2 or py3 package @@ -128,6 +129,7 @@ cp -a ${RPM_SOURCE_DIR}/README.cifstab.migration . %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie"