From 613a8053dbc3ab43cf0cdaf09f207ffdb0b40e08 Mon Sep 17 00:00:00 2001

From: Radovan Sroka <rsroka@redhat.com>

Date: Wed, 7 Apr 2021 14:43:40 +0200

Subject: [PATCH] Fixed bad condition for sesh args

In selinux_edit_copy_tfiles() when there is only one file and the open()

fails then number of arguments is lower than expected.

Sudo should return error with or without "Defaults !sudoedit_checkdir" set.

This was found with regression testing of CVE-2021-23240.

Signed-off-by: Radovan Sroka <rsroka@redhat.com>

---

 src/sudo_edit.c | 10 ++++++++--

 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/sudo_edit.c b/src/sudo_edit.c

index 41fc61c3a..15c75d8c4 100644

--- a/src/sudo_edit.c

+++ b/src/sudo_edit.c

@@ -529,6 +529,8 @@ selinux_edit_copy_tfiles(struct command_details *command_details,

     if (nfiles < 1)

 	debug_return_int(0);

+    const int check_dir = ISSET(command_details->flags, CD_SUDOEDIT_CHECKDIR);

+

     /* Construct common args for sesh */

     sesh_nargs = 5 + (nfiles * 2) + 1;

     sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *));

@@ -538,7 +540,7 @@ selinux_edit_copy_tfiles(struct command_details *command_details,

     }

     *sesh_ap++ = "sesh";

     *sesh_ap++ = "-e";

-    if (ISSET(command_details->flags, CD_SUDOEDIT_CHECKDIR)) {

+    if (check_dir) {

 	if ((user_str = selinux_fmt_sudo_user()) == NULL) {

 	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));

 	    goto done;

@@ -581,7 +583,11 @@ selinux_edit_copy_tfiles(struct command_details *command_details,

     if (tfd != -1)

 	close(tfd);

-    if (sesh_ap - sesh_args > 3) {

+    /*

+     * check dir adds two more args to the array

+     */

+    if ((!check_dir && sesh_ap - sesh_args > 3)

+        || (check_dir && sesh_ap - sesh_args > 5)) {

 	/* Run sesh -e 1 <t1> <o1> ... <tn> <on> */

 	error = selinux_run_helper(command_details->cred.uid, command_details->cred.gid,

 	    command_details->cred.ngroups, command_details->cred.groups, sesh_args,