/bin/su will segfault if Ctrl-D is entered at the password prompt. I'm not sure, but I believe I've read that an suid root program can be used to get root privileges if it can be made to crash. Is this correct? Reproducible: Always This happens on ~amd64 and x86.
I can't reproduce that on ~x86 nor on ~amd64 : > ~ $ /bin/su > Password: > [Pressed CTRL+D] > su: Authentication information cannot be recovered =sys-apps/shadow-4.1.4.2 (cracklib nls pam -audit -selinux -skey)
Same over here. Can you strace the problem for us?
Created attachment 206911 [details] strace of su segfaulting on x86 After I filed the bug I noticed this in dmesg: su[6095]: segfault at 0 ip b778f713 sp bf9b8d8c error 4 in libc-2.9.so[b771d000+13d000] I rebuild glibc but it made no difference. I did the strace on both x86 and amd64, and they seem virtually identical to me. (They both segfault, BTW.) gdb refuses me permission, and if I run su as root it won't ask me for a password. Any way to get around this catch 21?
Provide emerge --info, please. I forget to ask in #2, sorry.
Created attachment 209437 [details] Emerge info
run `su`, then as root, attach to the process with gdb and the -p option. then hit CTRL+D and make it crash. post the back trace here. you can find out info on how to create proper backtraces here: http://www.gentoo.org/doc/en/bugzilla-howto.xml
Thanks, I should have known that :( The problem starts with pam_ssh at pam_get_pass.c:69 memset(resp[0].resp, 0, strlen(resp[0].resp)); resp[0].resp should contain the password I type, but when I type Ctrl-d the value of resp[0].resp is 0x0 instead of a charstring. The segfault actually happens in the strlen() function in glibc, but I don't have debug symbols compiled into glibc. I'm happy to do that if you need the info and you can't reproduce the problem at your end. Thanks.
I built libc with debugging symbols, and this is the result: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:31 31 pcmpeqb (%rdi), %xmm2 My assembly language skills have eroded with time, and I don't remember what to do with that bt.
I'm the only one seeing this bug because I added "auth sufficient pam_ssh.so" to my pam sys-auth file so I can ssh to other machines using my ssh key for authentication instead of a password. I don't know if the bug is in pam_ssh for passing a null pointer or in glibc for crashing because of it. Any opinions on that subject? Thanks.
if it's crashing in string/memory functions, the problem tends to be with the calling code and not the functions themselves
I'd consider this to be a bug in pam_ssh, then. I don't know if it's really bad enough to gain root by exploiting it, but it 'feels bad'. I'll take this upstream and see if anyone is worried about it. Thanks.
*** This bug has been marked as a duplicate of bug 266603 ***
