git: a4d36c975be0 - releng/15.1 - linux: Correct the issetugid check in copyout_auxargs
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 19:20:11 UTC
The branch releng/15.1 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=a4d36c975be0c066979471e5f8a6c729757ad0b0
commit a4d36c975be0c066979471e5f8a6c729757ad0b0
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-29 21:41:35 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-09 02:59:54 +0000
linux: Correct the issetugid check in copyout_auxargs
The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.
The check added in commit 669414e4fb74 failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process. Correct the test.
Approved by: re (cperciva)
Approved by: so
Security: FreeBSD-SA-26:30.linux
Security: CVE-2026-49413
Reported by: Minseong Kim
Fixes: 669414e4fb74 ("Implement AT_SECURE properly.")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57350
---
sys/compat/linux/linux_elf.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c
index c9eb6aea8373..6c9f785c97e7 100644
--- a/sys/compat/linux/linux_elf.c
+++ b/sys/compat/linux/linux_elf.c
@@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base)
struct thread *td = curthread;
Elf_Auxargs *args;
Elf_Auxinfo *aarray, *pos;
- struct proc *p;
int error, issetugid;
- p = imgp->proc;
- issetugid = p->p_flag & P_SUGID ? 1 : 0;
+ issetugid = imgp->credential_setid ? 1 : 0;
args = imgp->auxargs;
aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP,
M_WAITOK | M_ZERO);