From db25d975c804bbe5b86cb61b77723e040331bd16 Mon Sep 17 00:00:00 2001
From: Shaleen Bathla <shaleen.bathla@oracle.com>
Date: Mon, 4 Mar 2024 12:53:44 +0530
Subject: pam_limits: fix potential use-after-free of pl->conf_file

When limits.d is processed, pl->conf_file consequently points to
elements of filename_list array which are freed later even though
it can still be used in the logging.

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
Fixes: f6b973b92281 ("Add support for limits.d directory to pam_limits")
---
 modules/pam_limits/pam_limits.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 59cd1f3c..51276265 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -1255,6 +1255,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
     int ctrl;
     struct pam_limit_s plstruct;
     struct pam_limit_s *pl = &plstruct;
+    char *free_filename = NULL;
 
     D(("called."));
 
@@ -1315,13 +1316,18 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
             if (retval != PAM_SUCCESS)
                 break;
         }
-        for (i = 0; filename_list[i] != NULL; i++)
-            free(filename_list[i]);
+        for (i = 0; filename_list[i] != NULL; i++) {
+	    if (filename_list[i] == pl->conf_file)
+		free_filename = filename_list[i];
+	    else
+		free(filename_list[i]);
+	}
         free(filename_list);
     }
 
     if (retval == PAM_IGNORE) {
         D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file));
+        free(free_filename);
         free(pl->login_group);
         return PAM_SUCCESS;
     }
@@ -1330,11 +1336,13 @@ out:
     if (retval != PAM_SUCCESS)
     {
 	pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ", pl->conf_file);
+	free(free_filename);
 	free(pl->login_group);
 	return retval;
     }
 
     retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl);
+    free(free_filename);
     free(pl->login_group);
     if (retval & LOGIN_ERR)
 	pam_error(pamh, _("There were too many logins for '%s'."),
-- 
cgit v1.2.3