git: 3fe092282025 - releng/14.4 - linux: Correct the issetugid check in copyout_auxargs
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 19:19:11 UTC
The branch releng/14.4 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=3fe092282025d45218605b950f03780f32df6f48
commit 3fe092282025d45218605b950f03780f32df6f48
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-29 21:41:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-08 13:21:34 +0000
linux: Correct the issetugid check in copyout_auxargs
The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.
The check added in commit 669414e4fb74 failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process. Correct the test.
Approved by: so
Security: FreeBSD-SA-26:30.linux
Security: CVE-2026-49413
Reported by: Minseong Kim
Fixes: 669414e4fb74 ("Implement AT_SECURE properly.")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57350
---
sys/compat/linux/linux_elf.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c
index c9eb6aea8373..6c9f785c97e7 100644
--- a/sys/compat/linux/linux_elf.c
+++ b/sys/compat/linux/linux_elf.c
@@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base)
struct thread *td = curthread;
Elf_Auxargs *args;
Elf_Auxinfo *aarray, *pos;
- struct proc *p;
int error, issetugid;
- p = imgp->proc;
- issetugid = p->p_flag & P_SUGID ? 1 : 0;
+ issetugid = imgp->credential_setid ? 1 : 0;
args = imgp->auxargs;
aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP,
M_WAITOK | M_ZERO);