[Pkg-shadow-devel] [pkg-shadow-Bugs][313957] segfault due to free() on a not malloc()ed var in su.c

pkg-shadow-bugs at alioth.debian.org pkg-shadow-bugs at alioth.debian.org
Tue Jan 8 15:23:12 UTC 2013 

pkg-shadow-Bugs item #313957, was opened at 08.01.2013 15:23 by mark mayer
You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313957&group_id=30580

Status: Open
Priority: 3
Submitted By: mark mayer (fly_a320-guest)
Assigned to: Nobody (None)
Summary: segfault due to free() on a not malloc()ed var in su.c 
Category: None
Group: None
Resolution: None


Initial Comment:
When two prerequisites are given then su segfaults due to invalid use of free() in su.c

1) the useres homedir does not exist. in that case in setupenv.c:220 static char temp_pw_dir[]="/"
    is used as default. the pointer info->pw_dir then points to that var.

2) the user to su to has no right to execute his shell, in that case after trying execve, the struct passwd
    *pw is tried to free() in su.c:1170. 

this leads to a segfault.

 su - ntp
No directory, logging in with HOME=/
Cannot execute /sbin/nologin: Permission denied
*** glibc detected *** su: munmap_chunk(): invalid pointer: 0xb779a0d0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x7058f)[0xb760858f]
/lib/libc.so.6(+0x7067b)[0xb760867b]
su(+0xa1e9)[0xb77971e9]
/lib/libc.so.6(__libc_start_main+0xe7)[0xb75af257]
su(+0x20d1)[0xb778f0d1]

cat /etc/passwd | grep ntp
ntp:x:55:55:openNTP Daemon:/var/lib/ntpd:/sbin/nologin

ll /sbin/nologin 
-rwx--x--- 1 root root 7.2K Sep  1 10:26 /sbin/nologin

possible fix:

diff -Naur shadow-4.1.5.1/libmisc/setupenv.c{-orig,} 
--- shadow-4.1.5.1/libmisc/setupenv.c-orig      2013-01-08 15:33:41.363955218 +0100
+++ shadow-4.1.5.1/libmisc/setupenv.c   2013-01-08 16:21:21.543880245 +0100
@@ -216,7 +216,9 @@
         */
 
        if (chdir (info->pw_dir) == -1) {
-               static char temp_pw_dir[] = "/";
+               char *temp_pw_dir;
+               temp_pw_dir=xmalloc(5);
+               strncpy(temp_pw_dir, "/", 4);
 
                if (!getdef_bool ("DEFAULT_HOME") || chdir ("/") == -1) {
                        fprintf (stderr, _("Unable to cd to '%s'\n"),


----------------------------------------------------------------------

You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313957&group_id=30580

More information about the Pkg-shadow-devel mailing list