From 2ef48ab562c0cce7caff394affa85fcf4537a257 Mon Sep 17 00:00:00 2001 From: liuh Date: Fri, 1 Nov 2024 16:33:23 +0800 Subject: [PATCH] util-linux: fix memory leak and UAF --- ...port-suL-fix-use-after-free-on-error.patch | 30 ++++++++++++++ ...s-utils-save_adjtime-fix-memory-leak.patch | 40 +++++++++++++++++++ ...ls-setpriv-fix-potential-memory-leak.patch | 37 +++++++++++++++++ backport-wall-fix-possible-memory-leak.patch | 38 ++++++++++++++++++ util-linux.spec | 16 +++++++- 5 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 backport-suL-fix-use-after-free-on-error.patch create mode 100644 backport-sys-utils-save_adjtime-fix-memory-leak.patch create mode 100644 backport-sys-utils-setpriv-fix-potential-memory-leak.patch create mode 100644 backport-wall-fix-possible-memory-leak.patch diff --git a/backport-suL-fix-use-after-free-on-error.patch b/backport-suL-fix-use-after-free-on-error.patch new file mode 100644 index 0000000..06b21da --- /dev/null +++ b/backport-suL-fix-use-after-free-on-error.patch @@ -0,0 +1,30 @@ +From 3b01374845f8bbe29ef945b866f679555b28cd38 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 30 Apr 2024 10:51:50 +0200 +Subject: [PATCH] suL fix use after free on error + +Signed-off-by: Karel Zak +--- + login-utils/su-common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/login-utils/su-common.c b/login-utils/su-common.c +index b674920..35950ce 100644 +--- a/login-utils/su-common.c ++++ b/login-utils/su-common.c +@@ -446,9 +446,10 @@ static void supam_open_session(struct su_context *su) + + rc = pam_open_session(su->pamh, 0); + if (is_pam_failure(rc)) { ++ const char *msg = pam_strerror(su->pamh, rc); ++ + supam_cleanup(su, rc); +- errx(EXIT_FAILURE, _("cannot open session: %s"), +- pam_strerror(su->pamh, rc)); ++ errx(EXIT_FAILURE, _("cannot open session: %s"), msg); + } else + su->pam_has_session = 1; + } +-- +2.43.0 + diff --git a/backport-sys-utils-save_adjtime-fix-memory-leak.patch b/backport-sys-utils-save_adjtime-fix-memory-leak.patch new file mode 100644 index 0000000..5afade9 --- /dev/null +++ b/backport-sys-utils-save_adjtime-fix-memory-leak.patch @@ -0,0 +1,40 @@ +From 4e4fd6a5fc84b8dc172e1ea67b28064c67376d1a Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Thu, 17 Oct 2024 07:14:26 +0300 +Subject: [PATCH] sys-utils: (save_adjtime): fix memory leak + +Dynamic memory, referenced by 'content', is allocated by calling function 'xasprintf' +and lost when function returns. + +Found by the static analyzer Svace. +--- + sys-utils/hwclock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sys-utils/hwclock.c b/sys-utils/hwclock.c +index 87228b5..1318c13 100644 +--- a/sys-utils/hwclock.c ++++ b/sys-utils/hwclock.c +@@ -910,6 +910,7 @@ static int save_adjtime(const struct hwclock_control *ctl, + fp = fopen(ctl->adj_file_name, "w"); + if (fp == NULL) { + warn(_("cannot open %s"), ctl->adj_file_name); ++ free(content); + return EXIT_FAILURE; + } + +@@ -918,9 +919,11 @@ static int save_adjtime(const struct hwclock_control *ctl, + + if (rc) { + warn(_("cannot update %s"), ctl->adj_file_name); ++ free(content); + return EXIT_FAILURE; + } + } ++ free(content); + return EXIT_SUCCESS; + } + +-- +2.43.0 + diff --git a/backport-sys-utils-setpriv-fix-potential-memory-leak.patch b/backport-sys-utils-setpriv-fix-potential-memory-leak.patch new file mode 100644 index 0000000..bcc7323 --- /dev/null +++ b/backport-sys-utils-setpriv-fix-potential-memory-leak.patch @@ -0,0 +1,37 @@ +From 8f15d94a21cbc6886bdf2474e6e1bb507cab1149 Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Thu, 10 Oct 2024 20:23:49 +0300 +Subject: [PATCH] sys-utils: (setpriv): fix potential memory leak + +Dynamic memory, referenced by 'buf' is allocated by calling function 'xstrdup' +add then changed by calling of strsep function. +The free(buf) call is incorrect if buf != NULL, and points to some +place inside or outside the source string. +--- + sys-utils/setpriv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c +index ddc2cc6..44731fd 100644 +--- a/sys-utils/setpriv.c ++++ b/sys-utils/setpriv.c +@@ -552,6 +552,7 @@ static void do_caps(enum cap_type type, const char *caps) + static void parse_securebits(struct privctx *opts, const char *arg) + { + char *buf = xstrdup(arg); ++ char *source_buf = buf; + char *c; + + opts->have_securebits = 1; +@@ -605,7 +606,7 @@ static void parse_securebits(struct privctx *opts, const char *arg) + + opts->securebits |= SECBIT_KEEP_CAPS; /* We need it, and it's reset on exec */ + +- free(buf); ++ free(source_buf); + } + + static void do_selinux_label(const char *label) +-- +2.43.0 + diff --git a/backport-wall-fix-possible-memory-leak.patch b/backport-wall-fix-possible-memory-leak.patch new file mode 100644 index 0000000..2391430 --- /dev/null +++ b/backport-wall-fix-possible-memory-leak.patch @@ -0,0 +1,38 @@ +From 828f6506b488a67d26ea8b7c50042a505c450b79 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 29 Apr 2024 15:25:58 +0200 +Subject: [PATCH] wall: fix possible memory leak + +Signed-off-by: Karel Zak +--- + term-utils/wall.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/term-utils/wall.c b/term-utils/wall.c +index 1e7e9ab..cc39bdc 100644 +--- a/term-utils/wall.c ++++ b/term-utils/wall.c +@@ -284,10 +284,10 @@ static char *makemsg(char *fname, char **mvec, int mvecsz, + + if (print_banner == TRUE) { + char *hostname = xgethostname(); +- char *whom, *where, date[CTIME_BUFSIZ]; ++ char *whombuf, *whom, *where, date[CTIME_BUFSIZ]; + time_t now; + +- whom = xgetlogin(); ++ whombuf = whom = xgetlogin(); + if (!whom) { + whom = ""; + warn(_("cannot get passwd uid")); +@@ -318,6 +318,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz, + whom, hostname, where, date); + fprintf(fs, "%-*.*s\007\007\r\n", TERM_WIDTH, TERM_WIDTH, lbuf); + free(hostname); ++ free(whombuf); + } + fprintf(fs, "%*s\r\n", TERM_WIDTH, " "); + +-- +2.43.0 + diff --git a/util-linux.spec b/util-linux.spec index 87e58d8..754502a 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -3,7 +3,7 @@ Name: util-linux Version: 2.39.1 -Release: 14 +Release: 15 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -38,6 +38,10 @@ Patch6016: backport-libmount-improve-mnt_table_next_child_fs.patch Patch6017: backport-libmount-make-sure-option-is-used-as-string.patch Patch6018: backport-libmount-fix-possible-memory-leak.patch Patch6019: backport-libmount-Fix-atime-remount-for-new-API.patch +Patch6020: backport-sys-utils-setpriv-fix-potential-memory-leak.patch +Patch6021: backport-sys-utils-save_adjtime-fix-memory-leak.patch +Patch6022: backport-wall-fix-possible-memory-leak.patch +Patch6023: backport-suL-fix-use-after-free-on-error.patch Patch9000: SKIPPED-no-root-permissions-test.patch Patch9001: util-linux-Add-sw64-architecture.patch @@ -419,6 +423,16 @@ fi %endif %changelog +* Mon Dec 09 2024 zhangyao - 2.39.1-15 +- Type: bugfix +- CVE: NA +- SUG: NA +- DESC: backport community patches + backport-sys-utils-setpriv-fix-potential-memory-leak.patch + backport-sys-utils-save_adjtime-fix-memory-leak.patch + backport-wall-fix-possible-memory-leak.patch + backport-suL-fix-use-after-free-on-error.patch + * Thu Nov 28 2024 Wenlong Zhang - 2.39.1-14 - Type:enhancement - CVE: NA -- Gitee