After installing and configuring sys-auth/pam_skey, sudo will segfault on CTRL-C during password prompt. Reproducible: Always Steps to Reproduce: 1. Install and configure app-admin/sudo 2. Install sys-auth/pam-skey 3. Modify /etc/pam.d/system-auth to contain lines: auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so auth sufficient pam_unix.so likeauth nullok try_first_pass instead of: auth required pam_unix.so try_first_pass likeauth nullok 4. execute: sudo ls -l 5. When prompted for sudo password, hit CTRL-C. 6. Notice the segfault. This does not occur when skey is not is use. Actual Results: Pressing CTRL-C during password prompt causes segfault. Expected Results: Pressing CTRL-C during password prompt should be clean.
This is observed on amd64.
The segmentation fault happens in mod_talk_touser: Program received signal SIGINT, Interrupt. 0x00007fb3cfead5c0 in read () from /lib/libc.so.6 (gdb) bt #0 0x00007fb3cfead5c0 in read () from /lib/libc.so.6 #1 0x0000000000419c15 in getln (fd=6, buf=0x62b780 "", bufsiz=257, feedback=0) at ./tgetpass.c:238 #2 0x00000000004198f2 in tgetpass ( prompt=0x7fb3cef04690 "S/Key response or system password: ", timeout=300, flags=0) at ./tgetpass.c:134 #3 0x000000000040dddd in sudo_conv (num_msg=2, msg=0x7fffd876f340, response=0x7fffd876f330, appdata_ptr=0x0) at ./auth/pam.c:296 #4 0x00007fb3cef043b3 in mod_talk_touser (pamh=0x634330, mod_opt=0, info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", prompt_text=0x7fb3cef04690 "S/Key response or system password: ", echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:247 #5 0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, argc=0, argv=0x0) at pam_skey.c:144 #6 0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0 #7 0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0 #8 0x000000000040d90d in pam_verify (pw=0x631c20, prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141 #9 0x000000000040d4ef in verify_user (pw=0x631c20, prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187 #10 0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136 #11 0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, envp=0x7fffd876f8f8) at ./sudo.c:431 (gdb) cont Continuing. Program received signal SIGINT, Interrupt. 0x00007fb3cfe17a57 in kill () from /lib/libc.so.6 (gdb) bt #0 0x00007fb3cfe17a57 in kill () from /lib/libc.so.6 #1 0x0000000000419a06 in tgetpass ( prompt=0x7fb3cef04690 "S/Key response or system password: ", timeout=300, flags=0) at ./tgetpass.c:160 #2 0x000000000040dddd in sudo_conv (num_msg=2, msg=0x7fffd876f340, response=0x7fffd876f330, appdata_ptr=0x0) at ./auth/pam.c:296 #3 0x00007fb3cef043b3 in mod_talk_touser (pamh=0x634330, mod_opt=0, info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", prompt_text=0x7fb3cef04690 "S/Key response or system password: ", echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:247 #4 0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, argc=0, argv=0x0) at pam_skey.c:144 #5 0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0 #6 0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0 #7 0x000000000040d90d in pam_verify (pw=0x631c20, prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141 #8 0x000000000040d4ef in verify_user (pw=0x631c20, prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187 #9 0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136 #10 0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, envp=0x7fffd876f8f8) at ./sudo.c:431 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007fb3cef043bb in mod_talk_touser (pamh=0x634330, mod_opt=0, info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", prompt_text=0x7fb3cef04690 "S/Key response or system password: ", echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:251 warning: Source file is more recent than executable. 251 _pam_delete(presponse->resp); (gdb) bt full #0 0x00007fb3cef043bb in mod_talk_touser (pamh=0x634330, mod_opt=0, info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", prompt_text=0x7fb3cef04690 "S/Key response or system password: ", echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:251 __xx__ = 0x1d07709b0 <Address 0x1d07709b0 out of bounds> message = {{msg_style = 4, msg = 0x7fb3cef02340 "otp-md5 94 a1i155581"}, {msg_style = 1, msg = 0x7fb3cef04690 "S/Key response or system password: "}} pmessage = {0x7fffd876f350, 0x7fffd876f360} conv = (struct pam_conv *) 0x6344f0 presponse = (struct pam_response *) 0x0 i = 2 #1 0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, argc=0, argv=0x0) at pam_skey.c:144 challenge = 0x7fb3cef02340 "otp-md5 94 a1i155581" username = 0x6344d0 "ulm" response = 0x0 status = 0 mod_opt = 0 #2 0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0 No symbol table info available. #3 0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0 No symbol table info available. #4 0x000000000040d90d in pam_verify (pw=0x631c20, prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141 s = 0x7fffd876f510 "p\tc" pam_status = (int *) 0x629db0 #5 0x000000000040d4ef in verify_user (pw=0x631c20, prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187 counter = 3 success = 1 status = 0 flags = 0 p = 0x630970 "Password:" auth = (sudo_auth *) 0x629740 sa = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 268435456, sa_restorer = 0} osa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {0, 140736825062768, 140410266840672, 6506352, 17, 140736825062768, 4337537, 140736825063096, 140410263823548, 18, 140410263776323, 4222451712, 6506352, 6506352, 6506352, 6506352}}, sa_flags = 335544320, sa_restorer = 0x7fb3cfe177f0} #6 0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136 timestampdir = 0x6340a0 "/var/run/sudo/ulm" timestampfile = 0x0 prompt = 0x630970 "Password:" status = 2 #7 0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, envp=0x7fffd876f8f8) at ./sudo.c:431 sources = 1 validated = 2 fd = 32691 cmnd_status = 1 sudo_mode = 1 pwflag = 0 rc = 0 sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 268435456, sa_restorer = 0} nss = (struct sudo_nss *) 0x0 (gdb) list 239,253 239 /* Do conversation and see if all is OK */ 240 if (pam_get_item(pamh, PAM_CONV, (const void **)(void *)&conv) 241 != PAM_SUCCESS) 242 { 243 LOGDEBUG((LOG_DEBUG, "error in conversation")); 244 return PAM_SERVICE_ERR; 245 } 246 /* Convert into pam_response */ 247 if (conv->conv(i, (const struct pam_message **)pmessage, &presponse, 248 conv->appdata_ptr) 249 != PAM_SUCCESS) 250 { 251 _pam_delete(presponse->resp); 252 return PAM_SERVICE_ERR; 253 } Looks like a NULL pointer check for presponse is missing.
Created attachment 217163 [details, diff] pam-skey-1.1.5-presponse-segfault.patch Does attached patch fix the problem for you?
Created attachment 217179 [details, diff] pam-skey-1.1.5-presponse-segfault.patch Updated patch, passes status from the conversation function to the caller.
(In reply to comment #4) > Created an attachment (id=217179) [details] > pam-skey-1.1.5-presponse-segfault.patch *ping* Can you test if this patch fixes the issue, please?
Should be fixed in -r1.
(In reply to comment #6) > Should be fixed in -r1. > It no longer segfaults. Thanks.
Thank you for reporting this bug.