From 2d7f9507e25cb165331fb5cefcc5a27dc9fe0fbe Mon Sep 17 00:00:00 2001 From: millert Date: Thu, 27 Feb 2025 01:32:55 +0000 Subject: [PATCH] moduser: fix use-after-free when locking/unlocking an account. The pw_tmp and shell_tmp variables are used to store updated versions of pwp->pw_passwd and pwp->pw_shell when locking and unlocking an account. The syslog() calls at the end of the function may use pwp->pw_shell (which can point to shell_tmp) so we must wait until after the logging to free the temporary variables. From Matthew Martin. --- usr.sbin/user/user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr.sbin/user/user.c b/usr.sbin/user/user.c index 01b6faf511d..b1bea3876cb 100644 --- a/usr.sbin/user/user.c +++ b/usr.sbin/user/user.c @@ -1,4 +1,4 @@ -/* $OpenBSD: user.c,v 1.131 2023/05/18 18:29:28 millert Exp $ */ +/* $OpenBSD: user.c,v 1.132 2025/02/27 01:32:55 millert Exp $ */ /* $NetBSD: user.c,v 1.69 2003/04/14 17:40:07 agc Exp $ */ /* @@ -1763,8 +1763,6 @@ moduser(char *login_name, char *newlogin, user_t *up) } fclose(master); close(ptmpfd); - free(pw_tmp); - free(shell_tmp); if (up != NULL && strcmp(login_name, newlogin) == 0) rval = pw_mkdb(login_name, 0); else @@ -1782,6 +1780,8 @@ moduser(char *login_name, char *newlogin, user_t *up) syslog(LOG_INFO, "user information modified: name=%s, new name=%s, uid=%u, gid=%u, home=%s, shell=%s", login_name, newlogin, pwp->pw_uid, pwp->pw_gid, pwp->pw_dir, pwp->pw_shell); } + free(pw_tmp); + free(shell_tmp); return 1; }