linux: Correct the issetugid check in copyout_auxargs

The runtime linker in glibc relies on the AT_SECURE auxv entry to know
whether the executable is set-ugid, if so then various dangerous
functionality such as LD_PRELOAD is disabled.

The check added in commit 669414e4fb failed to take into account the
fact that during execve, P_SUGID may not yet be set for a set-ugid
process.  Correct the test.

Approved by:	so
Security:	FreeBSD-SA-26:30.linux
Security:	CVE-2026-49413
Reported by:	Minseong Kim
Fixes:		669414e4fb ("Implement AT_SECURE properly.")
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57350
This commit is contained in:
Mark Johnston
2026-05-29 21:41:35 +00:00
parent 1bac7df1ba
commit d39be1b1b5
+1 -3
View File
@@ -492,11 +492,9 @@ __linuxN(copyout_auxargs)(struct image_params *imgp, uintptr_t base)
struct thread *td = curthread;
Elf_Auxargs *args;
Elf_Auxinfo *aarray, *pos;
struct proc *p;
int error, issetugid;
p = imgp->proc;
issetugid = p->p_flag & P_SUGID ? 1 : 0;
issetugid = imgp->credential_setid ? 1 : 0;
args = imgp->auxargs;
aarray = pos = malloc(LINUX_AT_COUNT * sizeof(*pos), M_TEMP,
M_WAITOK | M_ZERO);