[Pkg-shadow-devel] [pkg-shadow-Bugs][313940] uninitialised memory in merge_group_entries causes segfault in useradd

pkg-shadow-bugs at alioth.debian.org pkg-shadow-bugs at alioth.debian.org
Tue Dec 25 21:22:21 UTC 2012 

pkg-shadow-Bugs item #313940, was opened at 2012-12-26 07:22 by Brad Hubbard
You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313940&group_id=30580

Status: Open
Priority: 3
Submitted By: Brad Hubbard (badone-guest)
Assigned to: Nobody (None)
Summary: uninitialised memory in merge_group_entries causes segfault in useradd 
Category: None
Group: None
Resolution: None


Initial Comment:
We encountered the following segfault in useradd.

Core was generated by `useradd -u xxxx -g xxx -G zzzzz -d /aaa/bbb/ccc/ddd/zzzz -m -s /bin/bash -'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f8f7503a2d6 in __strcmp_sse42 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f8f7503a2d6 in __strcmp_sse42 () from /lib64/libc.so.6
#1  0x00007f8f75b187d7 in merge_group_entries () at groupio.c:352
#2  group_open_hook () at groupio.c:262
#3  0x00007f8f75b1a944 in commonio_open (db=0x7f8f75d22840, mode=<value optimized out>) at commonio.c:646
#4  0x00007f8f75b11057 in open_files () at useradd.c:1456
#5  0x00007f8f75b138eb in main (argc=<value optimized out>, argv=<value optimized out>) at useradd.c:1938

It appear the following loop relies on teh memory returned in a malloc call to be initialized to zero in order to break out of the loop but, of course, that is not always the case. I've attached a simple patch changing the call to calloc.

    339         new_members = (char **)malloc ( (members+1) * sizeof(char*) );
    340         if (NULL == new_members) {
    341                 free (new_line);
    342                 errno = ENOMEM;
    343                 return NULL;
    344         }
    345         for (i=0; NULL != gptr1->gr_mem[i]; i++) {
    346                 new_members[i] = gptr1->gr_mem[i];
    347         }
    348         members = i;
    349         for (i=0; NULL != gptr2->gr_mem[i]; i++) {
    350                 char **pmember = new_members;
    351                 while (NULL != *pmember) {
    352                         if (0 == strcmp(*pmember, gptr2->gr_mem[i])) { <--------- SEGFAULT
    353                                 break;
    354                         }

This can be simulated by adding a memset to "dirty" the memory under the malloc call.

----------------------------------------------------------------------

You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313940&group_id=30580

More information about the Pkg-shadow-devel mailing list