Closed polkit-github-migration-bot closed 9 months ago
In gitlab.freedesktop.org by vmihalko on Aug 9, 2023, 14:01
mentioned in commit vmihalko/polkit@36d616e64204356def8c95efb58c4a11fef0e542
In gitlab.freedesktop.org by vmihalko on Aug 15, 2023, 18:02
mentioned in commit vmihalko/polkit@f7ed531e16e38474d33d1bd3fb5166ec2093700c
In gitlab.freedesktop.org by jinscoe123 on Aug 7, 2023, 07:03
Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/201
Pkexec calls
free()
on uninitialized pointerThis might not be a security issue, since it probably cannot be exploited for a couple reasons.
But because this is a memory corruption bug in
pkexec
, I thought I'd mark it as confidential just to be on the safe side.Desired behaviour
Pkexec
should not free uninitialized pointers.Reproducer
Not sure how to make it crash consistently, but there are warnings when compiling polkit.
Detailed description
The bug is triggered when a
goto out
is encountered before thecmdline_short
variable is initialized. During cleanup,pkexec
's main function callsg_free()
oncmdline_short
, which is uninitialized because the goto-statement skipped its initialization.This happens, for example, when running
pkexec --version
.Version of polkit: 124
Version of OS: Linux kali 6.3.0-kali1-amd64
Patch