From ca2d56990954a726fe0c2d74c7ac4fd762562486 Mon Sep 17 00:00:00 2001
From: liuh <liuhuan01@kylinos.cn>
Date: Tue, 9 Apr 2024 17:44:02 +0800
Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env()

(cherry picked from commit be4a54ba33f130c7ace9497326fe1634bb658b15)
---
 ...UAF-in-get_cachename_from_process_en.patch | 46 +++++++++++++++++++
 cifs-utils.spec                               |  6 ++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch

diff --git a/0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch b/0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
new file mode 100644
index 0000000..51b2291
--- /dev/null
+++ b/0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
@@ -0,0 +1,46 @@
+From 73146385da0945c78af0fbdc08d2bf260db709d5 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Fri, 8 Mar 2024 12:06:15 -0300
+Subject: [PATCH] cifs.upcall: fix UAF in get_cachename_from_process_env()
+
+Whether lseek(2) fails or @bufsize * 2 > ENV_BUF_MAX, then @buf would
+end up being freed twice.  For instance:
+
+  cifs-utils-7.0/cifs.upcall.c:501: freed_arg: "free" frees "buf".
+  cifs-utils-7.0/cifs.upcall.c:524: double_free: Calling "free" frees
+  pointer "buf" which has already been freed.
+    522|           }
+    523|   out_close:
+    524|->         free(buf);
+    525|           close(fd);
+    526|           return cachename;
+
+Fix this by setting @buf to NULL after freeing it to prevent UAF.
+
+Fixes: ed97e4ecab4e ("cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+---
+ cifs.upcall.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 52c0328..ff6f2bd 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -498,10 +498,11 @@ retry:
+ 		/* We read to the end of the buffer. Double and try again */
+ 		syslog(LOG_DEBUG, "%s: read to end of buffer (%zu bytes)\n",
+ 					__func__, bufsize);
+-		free(buf);
+-		bufsize *= 2;
+ 		if (lseek(fd, 0, SEEK_SET) < 0)
+ 			goto out_close;
++		free(buf);
++		buf = NULL;
++		bufsize *= 2;
+ 		goto retry;
+ 	}
+ 
+-- 
+2.34.1
+
diff --git a/cifs-utils.spec b/cifs-utils.spec
index db20fde..af11255 100644
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@@ -1,6 +1,6 @@
 Name:           cifs-utils
 Version:        7.0
-Release:        1
+Release:        2
 Summary:        Utilities for doing and managing mounts of the Linux CIFS filesystem
 License:        GPLv3+
 URL:            http://linux-cifs.samba.org/cifs-utils/
@@ -12,6 +12,7 @@ Provides:       pam_cifscreds
 Obsoletes:      pam_cifscreds
 Requires:       keyutils
 
+Patch0:         0001-cifs.upcall-fix-UAF-in-get_cachename_from_process_en.patch
 
 %description
 The in-kernel CIFS filesystem is generally the preferred method for mounting
@@ -76,6 +77,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}
 %{_mandir}/man8/*
 
 %changelog
+* Tue Apr 9 2024 liuh <liuhuan01@kylinos.cn> - 7.0-2
+- sync patch from community
+
 * Sat Feb 11 2023 suweifeng <suweifeng1@huawei.com> - 7.0-1
 - upgarde to version 7.0
 
-- 
Gitee