The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=c3a27fa0662724477239157a5a19e673798eabfe
commit c3a27fa0662724477239157a5a19e673798eabfe Author: Olivier Certner <[email protected]> AuthorDate: 2025-10-29 16:46:39 +0000 Commit: Colin Percival <[email protected]> CommitDate: 2025-11-06 23:11:08 +0000 kern: Fix credentials leaks on RACCT but no RCTL Affected system calls: setuid(), setreuid(), setresuid(), jail_attach(), setloginclass(). In these system calls, the crhold() calls that, on RACCT, make the just-installed process credentials survive a concurrent change of the same credentials just after PROC_UNLOCK() were not matched by a corresponding crfree() when RCTL is off. In fact, in that latter case, they are simply not necessary, so wrap them with '#ifdef RCTL' stances. 'kern_rctl.c' causes a compile error if RACCT is not defined but RCTL is, so ease reading by not nesting '#ifdef's. Approved by: re (cperciva) MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53456 (cherry picked from commit f4315ff8b3fee71eb0098864a84618f2f8ba85d5) (cherry picked from commit 4db768b01cd78666949bbd67ba611e9e47ed710d) --- sys/kern/kern_jail.c | 2 ++ sys/kern/kern_loginclass.c | 2 ++ sys/kern/kern_prot.c | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 267b60ffb5bc..523b7e314a10 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -3047,6 +3047,8 @@ do_jail_attach(struct thread *td, struct prison *pr, int drflags) setsugid(p); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); diff --git a/sys/kern/kern_loginclass.c b/sys/kern/kern_loginclass.c index 55db6c28a1db..0c111c4f78d8 100644 --- a/sys/kern/kern_loginclass.c +++ b/sys/kern/kern_loginclass.c @@ -225,6 +225,8 @@ sys_setloginclass(struct thread *td, struct setloginclass_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index a4c5bcc52529..df725cfebd97 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -982,6 +982,8 @@ sys_setuid(struct thread *td, struct setuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); @@ -1390,6 +1392,8 @@ sys_setreuid(struct thread *td, struct setreuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p); @@ -1536,6 +1540,8 @@ sys_setresuid(struct thread *td, struct setresuid_args *uap) proc_set_cred(p, newcred); #ifdef RACCT racct_proc_ucred_changed(p, oldcred, newcred); +#endif +#ifdef RCTL crhold(newcred); #endif PROC_UNLOCK(p);
