This might not be a security issue, since it probably cannot be exploited for a couple reasons.
The pointer value seems to be NULL anyways in most builds.
It does not seem possible for an attacker to control the memory it points to (when the uninitialized pointer happens to be non-null).
But because this is a memory corruption bug in pkexec, I thought I'd mark it as confidential just to be on the safe side.
Desired behaviour
Pkexec should not free uninitialized pointers.
Reproducer
Not sure how to make it crash consistently, but there are warnings when compiling polkit.
Detailed description
The bug is triggered when a goto out is encountered before the cmdline_short variable is initialized. During cleanup, pkexec's main function calls g_free() on cmdline_short, which is uninitialized because the goto-statement skipped its initialization.
This happens, for example, when running pkexec --version.
In GitLab by @jinscoe123 on Aug 7, 2023, 07:03
Pkexec calls
free()
on uninitialized pointerThis might not be a security issue, since it probably cannot be exploited for a couple reasons.
But because this is a memory corruption bug in
pkexec
, I thought I'd mark it as confidential just to be on the safe side.Desired behaviour
Pkexec
should not free uninitialized pointers.Reproducer
Not sure how to make it crash consistently, but there are warnings when compiling polkit.
Detailed description
The bug is triggered when a
goto out
is encountered before thecmdline_short
variable is initialized. During cleanup,pkexec
's main function callsg_free()
oncmdline_short
, which is uninitialized because the goto-statement skipped its initialization.This happens, for example, when running
pkexec --version
.Version of polkit: 124
Version of OS: Linux kali 6.3.0-kali1-amd64
Patch