search

polkit-github-migration-bot / t4_polkit

Other
0 stars 0 forks source link

Free of uninitialized pointer in pkexec #203

Closed polkit-github-migration-bot closed 6 months ago

polkit-github-migration-bot commented 11 months ago

In gitlab.freedesktop.org by jinscoe123 on Aug 7, 2023, 07:03

Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/201

Pkexec calls free() on uninitialized pointer

This might not be a security issue, since it probably cannot be exploited for a couple reasons.

  1. The pointer value seems to be NULL anyways in most builds.
  2. It does not seem possible for an attacker to control the memory it points to (when the uninitialized pointer happens to be non-null).

But because this is a memory corruption bug in pkexec, I thought I'd mark it as confidential just to be on the safe side.

Desired behaviour

Pkexec should not free uninitialized pointers.

Reproducer

Not sure how to make it crash consistently, but there are warnings when compiling polkit.

image

Detailed description

The bug is triggered when a goto out is encountered before the cmdline_short variable is initialized. During cleanup, pkexec's main function calls g_free() on cmdline_short, which is uninitialized because the goto-statement skipped its initialization.

This happens, for example, when running pkexec --version.

Version of polkit: 124

Version of OS: Linux kali 6.3.0-kali1-amd64

Patch

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 98aa151..38e2387 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,7 @@ main (int argc, char *argv[])
   gchar *opt_user;
   pid_t pid_of_caller;
   gpointer local_agent_handle;
+  gchar *cmdline_short;

   /*
@@ -510,6 +511,7 @@ main (int argc, char *argv[])
   command_line = NULL;
   opt_user = NULL;
   local_agent_handle = NULL;
+  cmdline_short = NULL;

   /* Disable remote file access from GIO. */
   setenv ("GIO_USE_VFS", "local", 1);
@@ -802,7 +804,6 @@ main (int argc, char *argv[])
   polkit_details_insert (details, "program", path);
   polkit_details_insert (details, "command_line", command_line);

-  gchar *cmdline_short = NULL;
   cmdline_short = g_strdup(command_line);
   if (strlen(command_line) > 80)
       g_stpcpy(g_stpcpy( cmdline_short + 38, " ... " ),
polkit-github-migration-bot commented 11 months ago

In gitlab.freedesktop.org by vmihalko on Aug 9, 2023, 14:01

mentioned in commit vmihalko/polkit@36d616e64204356def8c95efb58c4a11fef0e542

polkit-github-migration-bot commented 10 months ago

In gitlab.freedesktop.org by vmihalko on Aug 15, 2023, 18:02

mentioned in commit vmihalko/polkit@f7ed531e16e38474d33d1bd3fb5166ec2093700c