Created attachment 304747 [details] GDB backtrace I get a segmentation fault with lightdm-1.1.4 in PAM authentication. See attached gdb backtrace. Investigating further, it seems that lightdm's PAM conversation function (pam_conv_cb in session-child.c) returns a good status (PAM_SUCCESS), but a NULL pointer for the response string in the pam_response struct. The problem is new in lightdm-1.1.4, versions 1.0.6-r4 and 1.1.3 worked flawlessly. I've downgraded to 1.1.3 for the time being. Portage 2.1.10.49 (default/linux/amd64/10.0/desktop, gcc-4.5.3, glibc-2.14.1-r2, 3.2.9-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.2.9-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T6570_@_2.10GHz-with-gentoo-2.1 Timestamp of tree: Fri, 09 Mar 2012 18:00:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p20 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.7-r3 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.9.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.11.3 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2, 4.6.2 sys-devel/gcc-config: 1.5.1 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.2-r1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo emacs ulm ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -ggdb -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -ggdb -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build=n" FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms sign splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="" GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo/ http://gentoo.osuosl.org/" LANG="POSIX" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en de fr" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="-6" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/emacs /usr/portage/local/ulm" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X Xaw3d a52 aac aalib acl acpi alsa amd64 amr ansi audiofile bash-completion bbdb berkdb bluetooth branding bzip2 cairo caps cdda cdparanoia cdr cli consolekit cracklib crypt css cups curl cxx dbus directfb dri dts dvd dvdr elisp emacs emboss emerald encode exif expat fam fbcon ffmpeg firefox flac fontconfig fortran gd gdbm gdu gif gimp glitz glut gmp gnuplot gpm gsl gtk gtkhtml guile iconv idea ieee1394 imagemagick imap ipv6 java jbig jpeg kpathsea latex lcms libcaca libnotify logrotate lua mad math metric mmx mng modules motif mp3 mp4 mpeg mudflap mule multilib ncurses networking nls nocd nptl nptlonly nsplugin offensive ogg opengl openmp pam pango pcmcia pcre pdf plotutils png policykit portage postgres ppds pppd preview-latex qa qt3support qt4 readline recode regex ruby sbcl sdl session skey smp sox spell sse sse2 ssl startup-notification svg sysfs t1lib tcpd tex tiff truetype udev unicode usb userlocales vorbis wifi wxwidgets wxwindows x264 xcb xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de fr" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= x11-misc/lightdm-1.1.3 was built with the following: USE="introspection (multilib)"
I can't reproduce it. How about 1.1.7?
(In reply to comment #1) > I can't reproduce it. Hm, I don't see the problem with pam_unix, but only with pam_skey. The former passes only a trivial array (with one element) to the PAM conversation function, whereas in pam_skey it has two elements (the s/key challenge and the password prompt). There's definitely something wrong with the way lightdm handles this nontrivial case: In function pam_conv_cb (session-child.c): *resp = calloc (msg_length, sizeof (struct pam_response)); This allocates an array of struct pam_response elements. resp is of type struct pam_response **. for (i = 0; i < msg_length; i++) { struct pam_response *r = resp[i]; r->resp = read_string (); read_data (&r->resp_retcode, sizeof (r->resp_retcode)); } The right hand side in the first assignment should be &(*resp)[i] not resp[i]. Note that for the trivial case (only i=0) it makes no difference. Fixing this seems not to be enough though, because the following read_string() still returns an empty string. BTW, such memory corruption in an authentication function might be a security issue as well. > How about 1.1.7? Doesn't fix it.
Created attachment 304815 [details, diff] lightdm-1.1.7-pam-auth.patch Attached patch fixes the problem for me.
What is the first line supposed to do? Do you want to get the address instead of the resp[i] value?
(In reply to comment #4) > What is the first line supposed to do? Do you want to get the address > instead of the resp[i] value? See comment #2. The array elements are in (*resp)[i] whereas resp is just a pointer to the array's address, passed as the function's argument.
Ok I think I get it. I'll if I have an account on launchpad so I can report this upstream
Patch reported upstream. Thanks a lot Ulrich
This should be fixed in 1.1.8 which in now in CVS