logo

overlay

My own overlay for experimentations, use with caution, no support is provided git clone https://hacktivis.me/git/overlay.git

shadow-4.9-gpasswd-double-free.patch (931B)

    

  1. https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6
  3. From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001
  4. From: Michael Vetter <jubalh@iodoru.org>
  5. Date: Mon, 20 Sep 2021 11:04:50 +0200
  6. Subject: [PATCH] Only free sgent if it was initialized
  8. `sgent` is only initialized in `get_group()` if `is_shadowgrp` is true.
  9. So we should also only attempt to free it if this is actually the case.
  11. Can otherwise lead to:
  12. ```
  13. free() double free detected in tcache 2 (gpasswd)
  14. ```
  15. --- a/src/gpasswd.c
  16. +++ b/src/gpasswd.c
  17. @@ -1207,11 +1207,13 @@ int main (int argc, char **argv)
  18.  	sssd_flush_cache (SSSD_DB_GROUP);
  19.  
  20.  #ifdef SHADOWGRP
  21. -	if (sgent.sg_adm) {
  22. -		xfree(sgent.sg_adm);
  23. -	}
  24. -	if (sgent.sg_mem) {
  25. -		xfree(sgent.sg_mem);
  26. +	if (is_shadowgrp) {
  27. +		if (sgent.sg_adm) {
  28. +			xfree(sgent.sg_adm);
  29. +		}
  30. +		if (sgent.sg_mem) {
  31. +			xfree(sgent.sg_mem);
  32. +		}
  33.  	}
  34.  #endif
  35.  	if (grent.gr_mem) {