[Pkg-shadow-devel] [pkg-shadow-Bugs][313940] uninitialised memory in merge_group_entries causes segfault in useradd
pkg-shadow-bugs at alioth.debian.org
pkg-shadow-bugs at alioth.debian.org
Mon Jul 29 08:13:55 UTC 2013
pkg-shadow-Bugs item #313940 was changed at 2013-07-29 10:13 by Christian Perrier
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313940&group_id=30580
Status: Open
Priority: 3
Submitted By: Brad Hubbard (badone-guest)
Assigned to: Nobody (None)
Summary: uninitialised memory in merge_group_entries causes segfault in useradd
Category: None
Group: None
Resolution: None
Initial Comment:
We encountered the following segfault in useradd.
Core was generated by `useradd -u xxxx -g xxx -G zzzzz -d /aaa/bbb/ccc/ddd/zzzz -m -s /bin/bash -'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f8f7503a2d6 in __strcmp_sse42 () from /lib64/libc.so.6
(gdb) bt
#0 0x00007f8f7503a2d6 in __strcmp_sse42 () from /lib64/libc.so.6
#1 0x00007f8f75b187d7 in merge_group_entries () at groupio.c:352
#2 group_open_hook () at groupio.c:262
#3 0x00007f8f75b1a944 in commonio_open (db=0x7f8f75d22840, mode=<value optimized out>) at commonio.c:646
#4 0x00007f8f75b11057 in open_files () at useradd.c:1456
#5 0x00007f8f75b138eb in main (argc=<value optimized out>, argv=<value optimized out>) at useradd.c:1938
It appear the following loop relies on teh memory returned in a malloc call to be initialized to zero in order to break out of the loop but, of course, that is not always the case. I've attached a simple patch changing the call to calloc.
339 new_members = (char **)malloc ( (members+1) * sizeof(char*) );
340 if (NULL == new_members) {
341 free (new_line);
342 errno = ENOMEM;
343 return NULL;
344 }
345 for (i=0; NULL != gptr1->gr_mem[i]; i++) {
346 new_members[i] = gptr1->gr_mem[i];
347 }
348 members = i;
349 for (i=0; NULL != gptr2->gr_mem[i]; i++) {
350 char **pmember = new_members;
351 while (NULL != *pmember) {
352 if (0 == strcmp(*pmember, gptr2->gr_mem[i])) { <--------- SEGFAULT
353 break;
354 }
This can be simulated by adding a memset to "dirty" the memory under the malloc call.
----------------------------------------------------------------------
>Comment By: Christian Perrier (bubulle)
Date: 2013-07-29 10:13
Message:
Fix ommitted in git
----------------------------------------------------------------------
Comment By: Tomáš Mráz (tmraz-guest)
Date: 2013-01-29 14:01
Message:
There is also bug when the new_line is allocated - it allocates sizeof(char*) times more memory than needed and the snprintf() call is incorrect causing truncation of the second group entry line.
----------------------------------------------------------------------
Comment By: Brad Hubbard (badone-guest)
Date: 2012-12-25 22:23
Message:
Attached merge_group_entries.calloc.patch
----------------------------------------------------------------------
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=313940&group_id=30580
More information about the Pkg-shadow-devel
mailing list