[Pkg-shadow-devel] [pkg-shadow-Bugs][313957] segfault due to free() on a not malloc()ed var in su.c
pkg-shadow-bugs at alioth.debian.org
pkg-shadow-bugs at alioth.debian.org
Mon Jul 29 07:58:32 UTC 2013
pkg-shadow-Bugs item #313957 was changed at 2013-07-29 09:58 by Christian Perrier
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313957&group_id=30580
Status: Open
Priority: 3
Submitted By: mark mayer (fly_a320-guest)
Assigned to: Nobody (None)
Summary: segfault due to free() on a not malloc()ed var in su.c
Category: None
Group: None
Resolution: None
Initial Comment:
When two prerequisites are given then su segfaults due to invalid use of free() in su.c
1) the useres homedir does not exist. in that case in setupenv.c:220 static char temp_pw_dir[]="/"
is used as default. the pointer info->pw_dir then points to that var.
2) the user to su to has no right to execute his shell, in that case after trying execve, the struct passwd
*pw is tried to free() in su.c:1170.
this leads to a segfault.
su - ntp
No directory, logging in with HOME=/
Cannot execute /sbin/nologin: Permission denied
*** glibc detected *** su: munmap_chunk(): invalid pointer: 0xb779a0d0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x7058f)[0xb760858f]
/lib/libc.so.6(+0x7067b)[0xb760867b]
su(+0xa1e9)[0xb77971e9]
/lib/libc.so.6(__libc_start_main+0xe7)[0xb75af257]
su(+0x20d1)[0xb778f0d1]
cat /etc/passwd | grep ntp
ntp:x:55:55:openNTP Daemon:/var/lib/ntpd:/sbin/nologin
ll /sbin/nologin
-rwx--x--- 1 root root 7.2K Sep 1 10:26 /sbin/nologin
possible fix:
diff -Naur shadow-4.1.5.1/libmisc/setupenv.c{-orig,}
--- shadow-4.1.5.1/libmisc/setupenv.c-orig 2013-01-08 15:33:41.363955218 +0100
+++ shadow-4.1.5.1/libmisc/setupenv.c 2013-01-08 16:21:21.543880245 +0100
@@ -216,7 +216,9 @@
*/
if (chdir (info->pw_dir) == -1) {
- static char temp_pw_dir[] = "/";
+ char *temp_pw_dir;
+ temp_pw_dir=xmalloc(5);
+ strncpy(temp_pw_dir, "/", 4);
if (!getdef_bool ("DEFAULT_HOME") || chdir ("/") == -1) {
fprintf (stderr, _("Unable to cd to '%s'\n"),
----------------------------------------------------------------------
>Comment By: Christian Perrier (bubulle)
Date: 2013-07-29 09:58
Message:
This was also reported in Debian : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691459
The fix there is applied in the newly created git repository for upstream and will be in 4.2
----------------------------------------------------------------------
Comment By: mark mayer (fly_a320-guest)
Date: 2013-01-11 09:57
Message:
well, I think this is cleaner:
diff -Naur shadow-4.1.5.1-orig/libmisc/setupenv.c shadow-4.1.5.1-new/libmisc/setupenv.c
--- shadow-4.1.5.1-orig/libmisc/setupenv.c 2011-08-14 15:11:28.000000000 +0200
+++ shadow-4.1.5.1-new/libmisc/setupenv.c 2013-01-11 09:50:03.708858063 +0100
@@ -228,7 +228,7 @@
exit (EXIT_FAILURE);
}
(void) puts (_("No directory, logging in with HOME=/"));
- info->pw_dir = temp_pw_dir;
+ strncpy(info->pw_dir, temp_pw_dir, 3);
}
/*
----------------------------------------------------------------------
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313957&group_id=30580
More information about the Pkg-shadow-devel
mailing list