When sudo is run, a double free occurs after authenticating. Reproducible: Always Steps to Reproduce: As any user, run sudo bash (or sudo [command]) Actual Results: This produces the following backtrace *** glibc detected *** /usr/bin/sudo: double free or corruption (fasttop): 0x00000000006352f0 *** ======= Backtrace: ========= /lib/libc.so.6[0x7fbff11c7258] /lib/libc.so.6(cfree+0x6c)[0x7fbff11cbd0c] /lib/libpam.so.0[0x7fbff16b478c] /lib/libpam.so.0(pam_end+0x22)[0x7fbff16b5292] /usr/bin/sudo[0x40b27b] /usr/bin/sudo[0x4119fa] /usr/bin/sudo[0x413ba1] /lib/libc.so.6(__libc_start_main+0xe6)[0x7fbff1171a26] /usr/bin/sudo[0x403969] ======= Memory map: ======== 00400000-00422000 r-xp 00000000 08:02 181909 /usr/bin/sudo 00621000-00622000 r--p 00021000 08:02 181909 /usr/bin/sudo 00622000-00624000 rw-p 00022000 08:02 181909 /usr/bin/sudo 00624000-0069a000 rw-p 00000000 00:00 0 [heap] gdb reports this as (gdb) bt #0 0x00007fbff1185645 in raise () from /lib/libc.so.6 #1 0x00007fbff1186b63 in abort () from /lib/libc.so.6 #2 0x00007fbff11c1ac8 in ?? () from /lib/libc.so.6 #3 0x00007fbff11c7258 in ?? () from /lib/libc.so.6 #4 0x00007fbff11cbd0c in free () from /lib/libc.so.6 #5 0x00007fbff16b478c in _pam_free_data (pamh=0x62c820, status=1073741824) at pam_data.c:161 #6 0x00007fbff16b5292 in pam_end (pamh=0x182b, pam_status=6187) at pam_end.c:31 #7 0x000000000040b27b in pam_prep_user (pw=0x62cf20) at ./auth/pam.c:238 #8 0x00000000004119fa in set_perms (perm=<value optimized out>) at ./set_perms.c:559 #9 0x0000000000413ba1 in main (argc=<value optimized out>, argv=<value optimized out>, envp=0x7fff4a639670) at ./sudo.c:503 Expected Results: sudo to execute command as root Portage 2.1.6.13 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.10.1-r0, 2.6.30-gentoo-r4 x86_64) ================================================================= System uname: Linux-2.6.30-gentoo-r4-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T7250_@_2.00GHz-with-gentoo-2.0.1 Timestamp of tree: Tue, 28 Jul 2009 10:00:03 +0000 app-shells/bash: 4.0_p28 dev-lang/python: 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.0 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=core2 -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages nostrip parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="pt_BR en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/gnome /usr/local/portage" SYNC="rsync://10.100.0.1/gentoo-portage/" USE="64bit X a52 aac acct acl acpi activefilter alsa amd64 apache2 applet archive audio autoipd avahi bluetooth bogofilter bookmarks branding brasero bzip2 cairo caps cdr cleartype consolekit cracklib crypt cups curl cxx dbus dga dhclient dhcp disk-partition dri dvd dvdr dynamic eap-sim eap-tls eds empathy encode epiphany fbcon fbsplash ffmpeg flac fontconfig fuse gcrypt gd gdbm geoip geos gif git glitz gnome gnome-keyring gnutls gps gstreamer gtk hal hddtemp howl-compat hunspell iconv ieee1394 ipv6 ithreads joystick jpeg jpeg2k kvm laptop libburn libnotify libssh2 lm_sensors lua lzo mad mdnsresponder-compat mktemp mmx mng mpeg mudflap nautilus ncurses networkmanager nfs nfsv3 nls nptl nsplugin nss ntp ogg opengl pam pcap pcf pcre perl pic pmu png policykit posix postgis postgres psf python quote readline resolvconf schroedinger sdl sdl-image sdl-sound sensord session sha512 smi sms sound spell sqlite sqlite3 sse sse2 ssh ssl ssse3 startup-notification subversion svg symlink syslog taglib theora threads threadsafe tiff totem truetype unicode usb uuid v4l v4l2 video vorbis webdav webdav-neon webdav-serf width wps xattr xinerama xml xorg xrandr xulrunner xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis authz_host autoindex dir env expires headers ident include mime mime_magic rewrite vhost_alias status" ELIBC="glibc" INPUT_DEVICES="evdev keyboard synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pt_BR en" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Assigning to pam-bugs@gentoo.org as the backtrace shows pam. This may be an upstream problem though.
It really doesn't matter who you assign it to since both PAM and sudo maintainer is me. Beside this, I'm going to close this with NEEDINFO; please reopen when you can provide: - a full backtrace rather than the printed backtrace; it really is nothing useful, and whatever it lists it might not be the cause, since it's a _double_ free it reports the second rather than the first; the actual backtrace could help a little more to identify what the heck is freed twice; see http://www.gentoo.org/proj/en/qa/backtraces.xml for how to do that; - your PAM configuration, whether it's stock or not.
Here is a strace, if that is of any help: dwn@karnak ~ % strace sudo -u dbmail /usr/sbin/dbmail-sievecmd -u dwn -l execve("/usr/bin/sudo", ["sudo", "-u", "dbmail", "/usr/sbin/dbmail-sievecmd", "-u", "dwn", "-l"], [/* 74 vars */]) = 0 brk(0) = 0x8ce0000 fcntl64(0, F_GETFD) = 0 fcntl64(1, F_GETFD) = 0 fcntl64(2, F_GETFD) = 0 access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=196043, ...}) = 0 mmap2(NULL, 196043, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f4d000 close(3) = 0 open("/lib/libpam.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\32\0\0004\0\0\0\300"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=42448, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 mmap2(NULL, 45308, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f40000 mmap2(0xb7f4a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9) = 0xb7f4a000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\n\0\0004\0\0\0 "..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=9600, ...}) = 0 mmap2(NULL, 12404, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f3c000 mmap2(0xb7f3e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f3e000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260h\1\0004\0\0\0\244"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1483036, ...}) = 0 mmap2(NULL, 1488496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dd0000 mmap2(0xb7f36000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x166) = 0xb7f36000 mmap2(0xb7f39000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f39000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7dcf000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dcf6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7f36000, 8192, PROT_READ) = 0 mprotect(0xb7f3e000, 4096, PROT_READ) = 0 mprotect(0xb7f4a000, 4096, PROT_READ) = 0 mprotect(0x8065000, 4096, PROT_READ) = 0 mprotect(0xb7f9e000, 4096, PROT_READ) = 0 munmap(0xb7f4d000, 196043) = 0 brk(0) = 0x8ce0000 brk(0x8d01000) = 0x8d01000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=1813968, ...}) = 0 mmap2(NULL, 1813968, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7c14000 close(3) = 0 geteuid32() = 1000 write(2, "sudo"..., 4sudo) = 4 write(2, ": "..., 2: ) = 2 write(2, "must be setuid root"..., 19must be setuid root) = 19 write(2, "\n"..., 1 ) = 1 exit_group(1) = ?
No I don't need the strace, I need a backtrace. NEEDINFO till the information is available.
(In reply to comment #4) > No I don't need the strace, I need a backtrace. NEEDINFO till the information > is available. > It will take me a day or two to get debug versions of sudo and pam built. The problem with closing the bug report is that only the original poster (or a bug wrangler) can re-open it. If/when I get the gdb backtrace, I cannot re-open this bug, so "NEEDINFO" at this early stage is rather inconvenient. It somewhat discourages me from pursuing it. FWIW, sudo was working until the pam_ssh update when through earlier today. It seems the trigger factor, if not the actual bug, is in that package.
This bug went away when i added -ggdb to CFLAGS and debug to USE on glibc.
(In reply to comment #6) > This bug went away when i added -ggdb to CFLAGS and debug to USE on glibc. I masked =sys-auth/pam_ssh-1.97 in /etc/portage/package.mask, so that the package was back-levelled to 1.92. This also solved the immediate problem.
Nobody spoke of touching glibc's USE.
Tracking bugs.
*** Bug 279691 has been marked as a duplicate of this bug. ***
*** Bug 279780 has been marked as a duplicate of this bug. ***
I've done some valgrind and gdb on this issue, and came to this conclusions: - the bug happens only when sudoing to a user without a $HOME/.ssh/ directory (because this version of pam_ssh write some file there to track usage of the agent) - in "pam_ssh.c", in function "pam_sm_open_session", there's a "per_agent" variable with the path of the agent tracking file ("$HOME/.ssh/agent-something"). This path is stored in the pam_handle_t dictionary under the name "ssh_agent_env_agent" (and this is done by copy of the pointer, not value - see "man pam_set_data"). - under the bug conditions (when there is no $HOME/.ssh/ directory), this variable is free'd. But the "ssh_agent_env_agent" entry remains unchanged in the pam_handle_t dictionary. - in "pam_ssh.c", function "pam_sm_close_session", this entry entry is retrieved and used. That's where you see the bug. I will attach a patch against pam_ssh-1.97 which remove two erroneous "free(per_agent)" calls from "pam_sm_open_session". Instead, i use "pam_set_data" with NULL value. The string is free'd automatically on replacement by the entry cleanup function, and its NULLity is handled fine in "pam_sm_close_session".
Created attachment 199834 [details, diff] pam_ssh-1.97-double-free.patch
Created attachment 199835 [details] Valgrind output without the patch The interresting part is there: ==11309== Syscall param stat(file_name) points to unaddressable byte(s) ==11309== at 0x50F9575: _xstat (xstat.c:38) ==11309== by 0x63D90BA: pam_sm_close_session (pam_ssh.c:945) ==11309== by 0x4E2B9D8: _pam_dispatch (pam_dispatch.c:110) ==11309== by 0x40AAD9: pam_prep_user (pam.c:235) ==11309== by 0x411269: set_perms (set_perms.c:559) ==11309== by 0x413410: main (sudo.c:503) ==11309== Address 0x55fb238 is 0 bytes inside a block of size 28 free'd ==11309== at 0x4C2353F: free (vg_replace_malloc.c:323) ==11309== by 0x63D9C9E: pam_sm_open_session (pam_ssh.c:649) ==11309== by 0x4E2B9D8: _pam_dispatch (pam_dispatch.c:110) ==11309== by 0x40AAC7: pam_prep_user (pam.c:231) ==11309== by 0x411269: set_perms (set_perms.c:559) ==11309== by 0x413410: main (sudo.c:503) ==11309== ==11309== Invalid free() / delete / delete[] ==11309== at 0x4C2353F: free (vg_replace_malloc.c:323) ==11309== by 0x4E2B35B: _pam_free_data (pam_data.c:161) ==11309== by 0x4E2BE61: pam_end (pam_end.c:31) ==11309== by 0x40AAEA: pam_prep_user (pam.c:238) ==11309== by 0x411269: set_perms (set_perms.c:559) ==11309== by 0x413410: main (sudo.c:503) ==11309== Address 0x55fb238 is 0 bytes inside a block of size 28 free'd ==11309== at 0x4C2353F: free (vg_replace_malloc.c:323) ==11309== by 0x63D9C9E: pam_sm_open_session (pam_ssh.c:649) ==11309== by 0x4E2B9D8: _pam_dispatch (pam_dispatch.c:110) ==11309== by 0x40AAC7: pam_prep_user (pam.c:231) ==11309== by 0x411269: set_perms (set_perms.c:559) ==11309== by 0x413410: main (sudo.c:503)
Created attachment 199836 [details] Valgrind output with the patch Well, there is nothing interesting here...
This is a GDB session without the patch: root@gromit% gdb --args /usr/bin/sudo -u ftp /bin/bash GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu"... (gdb) break pam_ssh.c:945 No source file named pam_ssh.c. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (pam_ssh.c:945) pending. (gdb) run Starting program: /usr/bin/sudo -u ftp /bin/bash Breakpoint 1, pam_sm_close_session (pamh=0x62bbe0, flags=<value optimized out>, argc=<value optimized out>, argv=<value optimized out>) at pam_ssh.c:945 945 pam_ssh.c: No such file or directory. in pam_ssh.c (gdb) info locals env_file = 0x6382b0 "thomas" pid = <value optimized out> retval = <value optimized out> ssh_agent_pid = <value optimized out> pwent = <value optimized out> sb = {st_dev = 6521520, st_ino = 0, st_nlink = 0, st_mode = 128, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 139847575873668, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 139847602486088}, st_mtim = {tv_sec = 139847606834776, tv_nsec = 6470624}, st_ctim = {tv_sec = 139847602466400, tv_nsec = 5}, __unused = {128, 6470624, 0}} user = 0x6342f0 "ftp" (gdb) Note the env_file="thomas", which is non-sense: it should have been either the path to an agent tracking file ("/home/ftp/.ssh/agent-something"), or NULL.
And here are the infos about my system: % qlist -vIe pam pam_ssh sys-auth/pam_ssh-1.97 sys-libs/pam-1.1.0 % emerge --info Portage 2.2_rc33 (default/linux/amd64/2008.0, gcc-4.3.3, glibc-2.10.1-r0, 2.6.30-gentoo-r4-1 x86_64) ================================================================= System uname: Linux-2.6.30-gentoo-r4-1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E8500_@_3.16GHz-with-gentoo-2.0.1 Timestamp of tree: Sat, 01 Aug 2009 11:15:01 +0000 app-shells/bash: 4.0_p28 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.6.2-r1 dev-util/cmake: 2.6.4-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.0 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -ggdb -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=core2 -O2 -ggdb -pipe" DISTDIR="/var/portage/distfiles" FEATURES="buildpkg distlocks fixpackages parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-orphans userfetch usersync" GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/ ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ ftp://ftp.first-world.info/ " LDFLAGS="-Wl,-O1,--hash-style=gnu,--sort-common -Wl,--as-needed" LINGUAS="en_US en fr_FR fr" MAKEOPTS="-j3" PKGDIR="/var/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/portage/tree" PORTDIR_OVERLAY="/var/portage/overlays/tgl /var/portage/overlays/bugzilla /var/portage/layman/sunrise /var/portage/layman/xwing /var/portage/layman/x11 /var/portage/layman/java-overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi akonadi alsa amd64 apache2 bash-completion berkdb branding bzip2 cairo cdda cddb cdparanoia cdr cli consolekit cracklib crypt cups cvs dbus dga dri dts dv dvb dvd dvdr encode exif fam ffmpeg flac fontconfig fuse gdbm gif gimp git glib gnome gnome-keyring gnutls gpm graphviz gstreamer gtk hal iconv id3tag ieee1394 imagemagick imap isdnlog java java5 java6 jpeg jpeg2k latex lcms libnotify lua mad matroska midi mikmod mmx mng mp3 mpeg mudflap multilib musepack musicbrainz nautilus ncurses network nls nntp nptl nptlonly ogg opengl openmp pam pango pch pcre pdf pg-intdatetime plasma png pppd python qt3support qt4 raw readline reflection sasl sdl semantic-desktop session sndfile spell spl sse sse2 ssl startup-notification subversion svg sysfs taglib tcpd theora threads tiff truetype unicode usb v4l2 vim-syntax vorbis wavpack wma wmf x264 xattr xcb xcomposite xface xinerama xml xmp xorg xosd xpm xulrunner xv xvid xvmc zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en fr_FR fr" SANE_BACKENDS="epson" USERLAND="GNU" VIDEO_CARDS="i810 intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #12) > - in "pam_ssh.c", function "pam_sm_close_session", this entry entry is > retrieved and used. That's where you see the bug. Actually, that's where you see the first Valgrind error. As for the double-free bug, you get it a bit later, when the cleanup function for the "ssh_agent_env_agent" pam_handle_t's entry is used on some already free'd data.
TGL thanks for the debugging and the patch! I'm currently exhausted so I'm not staying in front of the computer for long, but having skimmed through your logs it seems like you nailed it :) Thanks! I'll apply the patch and test either this night or tomorrow first thing!
Patch is in 1.97-r1; arches who marked 1.97 stable please stable -r1 too. Thanks!
*** Bug 279886 has been marked as a duplicate of this bug. ***
FYI, i have now reported the bug and patch upstream: https://sourceforge.net/tracker/?func=detail&aid=2831162&group_id=16000&atid=116000
This should be fixed now, I guess?