Mailing List Archive

From:: Matthew Martin <phy1729@gmail.com>
Subject:: usermod: fix use after free
To:: tech@openbsd.org
Date:: Wed, 26 Feb 2025 17:10:33 -0600

Download raw body.

Thread

2025-02-26 23:10 Matthew Martin:
usermod: fix use after free
- 2025-02-27 01:33 Todd C. Miller:
  usermod: fix use after free

pwp->pw_shell may be backed by the same allocation as shell_tmp (cf.
lines 1560 and 1604), so the free needs to happen after the syslog calls
which use pwp->pw_shell.

diff --git user.c user.c
index 01b6faf511d..aa03df3b1c2 100644
--- user.c
+++ user.c
@@ -1763,8 +1763,6 @@ moduser(char *login_name, char *newlogin, user_t *up)
 	}
 	fclose(master);
 	close(ptmpfd);
-	free(pw_tmp);
-	free(shell_tmp);
 	if (up != NULL && strcmp(login_name, newlogin) == 0)
 		rval = pw_mkdb(login_name, 0);
 	else
@@ -1782,6 +1780,8 @@ moduser(char *login_name, char *newlogin, user_t *up)
 		syslog(LOG_INFO, "user information modified: name=%s, new name=%s, uid=%u, gid=%u, home=%s, shell=%s",
 			login_name, newlogin, pwp->pw_uid, pwp->pw_gid, pwp->pw_dir, pwp->pw_shell);
 	}
+	free(pw_tmp);
+	free(shell_tmp);
 	return 1;
 }

2025-02-26 23:10 Matthew Martin:
usermod: fix use after free
- 2025-02-27 01:33 Todd C. Miller:
  usermod: fix use after free