[Pkg-shadow-devel] Bug#691459: Invalid free() in su

[Philipp Kern]

Package: login
Version: 1:4.1.5.1-1
Severity: important

setup_env in ./libmisc/setupenv.c sets info->pw_dir to a pointer to a
static buffer: temp_pw_dir as defined in that very function. This
happens when pw_dir as found in the passwd entry is not accessible to
the application (in my case `su').

Now this pointer points into static memory, not the heap. main calls
pw_free before it finishes (src/su.c:1214). pw_free calls free upon
that very pw_dir set above. Because that pointer is not pointing into
heap space, glibc complains and kills the program.

# su - pkern
No directory, logging in with HOME=/
Cannot execute /bin/zsh: No such file or directory
*** glibc detected *** su: free(): invalid pointer: 0x000000008000d488

==11211== Invalid free() / delete / delete[] / realloc()
==11211==    at 0x40325D2: free (in /usr/lib/valgrind/vgpreload_memcheck-s390x-linux.so)
==11211== by 0x800096D9: pw_free (pwmem.c:100)
==11211==    by 0x80006311: main (su.c:1214)
==11211==  Address 0x8000d488 is 0 bytes inside data symbol "temp_pw_dir.5460"

I think it should do a strdup in setup_env instead of just assigning
that string to the entry.

Kind regards
Philipp Kern
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20121025/e3bc2b41/attachment.pgp>