Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 407591 - x11-misc/lightdm-1.1.4 segmentation fault at runtime in PAM authentication
Summary: x11-misc/lightdm-1.1.4 segmentation fault at runtime in PAM authentication
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Markos Chandras (RETIRED)
URL: https://bugs.launchpad.net/lightdm/+b...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-09 21:54 UTC by Ulrich Müller
Modified: 2012-03-16 22:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
GDB backtrace (lightdm.backtrace,5.73 KB, text/plain)
2012-03-09 21:54 UTC, Ulrich Müller
Details
lightdm-1.1.7-pam-auth.patch (lightdm-1.1.7-pam-auth.patch,1002 bytes, patch)
2012-03-10 10:05 UTC, Ulrich Müller
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2012-03-09 21:54:58 UTC
Created attachment 304747 [details]
GDB backtrace

I get a segmentation fault with lightdm-1.1.4 in PAM authentication. See attached gdb backtrace.

Investigating further, it seems that lightdm's PAM conversation function (pam_conv_cb in session-child.c) returns a good status (PAM_SUCCESS), but a NULL pointer for the response string in the pam_response struct.

The problem is new in lightdm-1.1.4, versions 1.0.6-r4 and 1.1.3 worked flawlessly. I've downgraded to 1.1.3 for the time being.


Portage 2.1.10.49 (default/linux/amd64/10.0/desktop, gcc-4.5.3, glibc-2.14.1-r2, 3.2.9-gentoo x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.2.9-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T6570_@_2.10GHz-with-gentoo-2.1
Timestamp of tree: Fri, 09 Mar 2012 18:00:01 +0000
ccache version 3.1.7 [enabled]
app-shells/bash:          4.2_p20
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/ccache:          3.1.7
dev-util/cmake:           2.8.7-r3
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          0.9.9.2
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.11.3
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.3-r2, 4.6.2
sys-devel/gcc-config:     1.5.1
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.2-r1 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r2
Repositories: gentoo emacs ulm
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -ggdb -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -ggdb -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet-build=n"
FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms sign splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo/ http://gentoo.osuosl.org/"
LANG="POSIX"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en de fr"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS="xz"
PORTAGE_COMPRESS_FLAGS="-6"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/emacs /usr/portage/local/ulm"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X Xaw3d a52 aac aalib acl acpi alsa amd64 amr ansi audiofile bash-completion bbdb berkdb bluetooth branding bzip2 cairo caps cdda cdparanoia cdr cli consolekit cracklib crypt css cups curl cxx dbus directfb dri dts dvd dvdr elisp emacs emboss emerald encode exif expat fam fbcon ffmpeg firefox flac fontconfig fortran gd gdbm gdu gif gimp glitz glut gmp gnuplot gpm gsl gtk gtkhtml guile iconv idea ieee1394 imagemagick imap ipv6 java jbig jpeg kpathsea latex lcms libcaca libnotify logrotate lua mad math metric mmx mng modules motif mp3 mp4 mpeg mudflap mule multilib ncurses networking nls nocd nptl nptlonly nsplugin offensive ogg opengl openmp pam pango pcmcia pcre pdf plotutils png policykit portage postgres ppds pppd preview-latex qa qt3support qt4 readline recode regex ruby sbcl sdl session skey smp sox spell sse sse2 ssl startup-notification svg sysfs t1lib tcpd tex tiff truetype udev unicode usb userlocales vorbis wifi wxwidgets wxwindows x264 xcb xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de fr" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

x11-misc/lightdm-1.1.3 was built with the following:
USE="introspection (multilib)"
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2012-03-10 01:52:56 UTC
I can't reproduce it. How about 1.1.7?
Comment 2 Ulrich Müller gentoo-dev 2012-03-10 07:41:03 UTC
(In reply to comment #1)
> I can't reproduce it.

Hm, I don't see the problem with pam_unix, but only with pam_skey. The former passes only a trivial array (with one element) to the PAM conversation function, whereas in pam_skey it has two elements (the s/key challenge and the password prompt).

There's definitely something wrong with the way lightdm handles this
nontrivial case: In function pam_conv_cb (session-child.c):

    *resp = calloc (msg_length, sizeof (struct pam_response));

This allocates an array of struct pam_response elements. resp is of type
struct pam_response **.

    for (i = 0; i < msg_length; i++)
    {
        struct pam_response *r = resp[i];
        r->resp = read_string ();
        read_data (&r->resp_retcode, sizeof (r->resp_retcode));
    }

The right hand side in the first assignment should be &(*resp)[i] not resp[i]. Note that for the trivial case (only i=0) it makes no difference. Fixing this seems not to be enough though, because the following read_string() still returns an empty string.

BTW, such memory corruption in an authentication function might be a security issue as well.

> How about 1.1.7?

Doesn't fix it.
Comment 3 Ulrich Müller gentoo-dev 2012-03-10 10:05:40 UTC
Created attachment 304815 [details, diff]
lightdm-1.1.7-pam-auth.patch

Attached patch fixes the problem for me.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2012-03-10 10:20:35 UTC
What is the first line supposed to do? Do you want to get the address instead of the resp[i] value?
Comment 5 Ulrich Müller gentoo-dev 2012-03-10 11:08:44 UTC
(In reply to comment #4)
> What is the first line supposed to do? Do you want to get the address
> instead of the resp[i] value?

See comment #2. The array elements are in (*resp)[i] whereas resp is just a pointer to the array's address, passed as the function's argument.
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2012-03-10 11:14:14 UTC
Ok I think I get it. I'll if I have an account on launchpad so I can report this upstream
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2012-03-10 11:21:39 UTC
Patch reported upstream. Thanks a lot Ulrich
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2012-03-16 22:29:09 UTC
This should be fixed in 1.1.8 which in now in CVS