From 917c8b5d3450870b4f25fd4a5a5198faa9de9aeb Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Wed, 3 May 2023 20:12:52 -0700 Subject: [PATCH] There was a small memory leak in pam_cap.so when libpam returned an error. The function pam_set_data() takes ownership of a memory pointer if the call succeeds, but does not take that ownership if the function fails. Previously, the failure caused no deferred capability setting and a return code PAM_IGNORE. It continues to do that in this case, but no longer leaks the allocated iab memory. This bug was introduced with deferred IAB capability setting support in libcap-2.58. Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit of the libcap source code in April of 2023. The audit was sponsored by the Open Source Technology Improvement Fund (https://ostif.org/). Audit ref: LCAP-CR-23-100 Signed-off-by: Andrew G. Morgan --- pam_cap/pam_cap.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c index 7e8cade..91278dc 100644 --- a/pam_cap/pam_cap.c +++ b/pam_cap/pam_cap.c @@ -290,7 +290,12 @@ static int set_capabilities(struct pam_cap_s *cs) if (cs->defer) { D(("configured to delay applying IAB")); - pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); + int ret = pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); + if (ret != PAM_SUCCESS) { + D(("unable to cache capabilities for delayed setting: %d", ret)); + /* since ok=0, the module will return PAM_IGNORE */ + cap_free(iab); + } iab = NULL; } else if (!cap_iab_set_proc(iab)) { D(("able to set the IAB [%s] value", conf_caps)); -- 2.27.0