diff --git a/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..6a1a2d9a58587d65c081bfa5192a34f85b8ff373 --- /dev/null +++ b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch @@ -0,0 +1,54 @@ +From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001 +From: lixinyun +Date: Wed, 29 May 2024 06:53:02 +0800 +Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double + free + +Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n. +Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation : + +[root@localhost src]# ./useradd u1 +[root@localhost src]# ./useradd u2 +[root@localhost src]# ./useradd u3 +[root@localhost src]# ./groupadd -U u1,u2,u3 g1 +[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1 +Segmentation fault + +This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again. + +[root@localhost src]# ./useradd u1 +[root@localhost src]# ./useradd u2 +[root@localhost src]# ./useradd u3 +[root@localhost src]# ./groupadd -U u1,u2,u3 g1 +[root@localhost src]# ./groupmod -U u1,u2 g1 +Segmentation fault + +The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again. + +So the first free is unnecessary, maybe we can drop it. + +Fixes: 342c934a3590 ("add -U option to groupadd and groupmod") +Closes: +Link: +Link: +Link: +Cc: "Serge E. Hallyn" +Reviewed-by: Alejandro Colomar +Signed-off-by: lixinyun +--- + src/groupmod.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/groupmod.c b/src/groupmod.c +index a29cf73f6..989d7ea34 100644 +--- a/src/groupmod.c ++++ b/src/groupmod.c +@@ -250,8 +250,6 @@ static void grp_update (void) + + if (!aflg) { + // requested to replace the existing groups +- if (NULL != grp.gr_mem[0]) +- gr_free_members(&grp); + grp.gr_mem = XMALLOC(1, char *); + grp.gr_mem[0] = NULL; + } else { diff --git a/shadow.spec b/shadow.spec index 719678aac7337b18d2d871bf937998656418a899..ce5c6a46b3e12c4b85dae6a950dd779194278711 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.14.3 -Release: 7 +Release: 8 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -27,6 +27,7 @@ Patch7: limit-username-length-to-32.patch Patch8: backport-src-useradd.c-get_groups-Fix-memory-leak.patch Patch9: backport-src-gpasswd-Clear-password-in-more-cases.patch Patch10: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch +Patch11: backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -196,6 +197,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a} %{_mandir}/*/* %changelog +* Tue May 27 2025 Funda Wang - 2:4.14.3-8 +- fix upstream bug#1013: src/groupmod.c: bug; possibly use-after-free + * Tue Mar 11 2025 yixiangzhike - 2:4.14.3-7 - backport patches from upstream