[Pkg-shadow-devel] Bug#755083: login: su deferences argv[0] without checking it's valid

[Adam Sampson]

Package: login
Version: 1:4.1.5.1-1
Severity: normal
Tags: upstream

Dear shadow maintainers,

If su is invoked with an empty argument list (i.e. with argv[0] being
NULL), it'll crash. For example:

$ cat exec0.c
#include <stddef.h>
#include <stdio.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    char *empty[1] = { NULL };
    execvp(argv[1], empty);
    perror("execvp");
    return 1;
}
$ ./exec0 /bin/su
Segmentation fault

The crash occurs because save_caller_context tries to take the basename
of argv[0] without checking whether argc's greater than 0 first. It'd
be better to explicitly abort in this case, as some of the GNU tools do:

$ ./exec0 /bin/ls
A NULL argv[0] was passed through an exec system call.
Aborted

This bug's present in the current Git source for shadow.

Thanks,
Adam Sampson

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages login depends on:
ii  libc6           2.13-38+deb7u3
ii  libpam-modules  1.1.3-7.1
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/pam.d/su changed [not included]

-- no debconf information