Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 301467 - sys-auth/pam_skey used with sudo can cause segfaults
Summary: sys-auth/pam_skey used with sudo can cause segfaults
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: Ulrich Müller
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-19 01:18 UTC by Timothy Stotts
Modified: 2010-02-06 19:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
pam-skey-1.1.5-presponse-segfault.patch (pam-skey-1.1.5-presponse-segfault.patch,275 bytes, patch)
2010-01-22 12:25 UTC, Ulrich Müller 		Details | Diff
pam-skey-1.1.5-presponse-segfault.patch (pam-skey-1.1.5-presponse-segfault.patch,777 bytes, patch)
2010-01-22 16:22 UTC, Ulrich Müller 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Timothy Stotts 2010-01-19 01:18:38 UTC 
After installing and configuring sys-auth/pam_skey, sudo will segfault on CTRL-C during password prompt.

Reproducible: Always

Steps to Reproduce:
1. Install and configure app-admin/sudo
2. Install sys-auth/pam-skey

3. Modify /etc/pam.d/system-auth to contain lines:

auth       [success=done ignore=ignore auth_err=die default=bad] pam_skey.so
auth       sufficient   pam_unix.so likeauth nullok try_first_pass

instead of:

auth           required        pam_unix.so try_first_pass likeauth nullok

4. execute:
sudo ls -l

5. When prompted for sudo password, hit CTRL-C.

6. Notice the segfault. This does not occur when skey is not is use.


Actual Results:  
Pressing CTRL-C during password prompt causes segfault.

Expected Results:  
Pressing CTRL-C during password prompt should be clean.
Comment 1 Timothy Stotts 2010-01-19 01:20:09 UTC 
This is observed on amd64.
Comment 2 Ulrich Müller gentoo-dev 2010-01-22 12:25:06 UTC 
The segmentation fault happens in mod_talk_touser:

Program received signal SIGINT, Interrupt.
0x00007fb3cfead5c0 in read () from /lib/libc.so.6
(gdb) bt
#0  0x00007fb3cfead5c0 in read () from /lib/libc.so.6
#1  0x0000000000419c15 in getln (fd=6, buf=0x62b780 "", bufsiz=257, feedback=0)
    at ./tgetpass.c:238
#2  0x00000000004198f2 in tgetpass (
    prompt=0x7fb3cef04690 "S/Key response or system password: ", timeout=300, 
    flags=0) at ./tgetpass.c:134
#3  0x000000000040dddd in sudo_conv (num_msg=2, msg=0x7fffd876f340, 
    response=0x7fffd876f330, appdata_ptr=0x0) at ./auth/pam.c:296
#4  0x00007fb3cef043b3 in mod_talk_touser (pamh=0x634330, mod_opt=0, 
    info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", 
    prompt_text=0x7fb3cef04690 "S/Key response or system password: ", 
    echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:247
#5  0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, 
    argc=0, argv=0x0) at pam_skey.c:144
#6  0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0
#7  0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0
#8  0x000000000040d90d in pam_verify (pw=0x631c20, 
    prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141
#9  0x000000000040d4ef in verify_user (pw=0x631c20, 
    prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187
#10 0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136
#11 0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, 
    envp=0x7fffd876f8f8) at ./sudo.c:431
(gdb) cont
Continuing.

Program received signal SIGINT, Interrupt.
0x00007fb3cfe17a57 in kill () from /lib/libc.so.6
(gdb) bt
#0  0x00007fb3cfe17a57 in kill () from /lib/libc.so.6
#1  0x0000000000419a06 in tgetpass (
    prompt=0x7fb3cef04690 "S/Key response or system password: ", timeout=300, 
    flags=0) at ./tgetpass.c:160
#2  0x000000000040dddd in sudo_conv (num_msg=2, msg=0x7fffd876f340, 
    response=0x7fffd876f330, appdata_ptr=0x0) at ./auth/pam.c:296
#3  0x00007fb3cef043b3 in mod_talk_touser (pamh=0x634330, mod_opt=0, 
    info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", 
    prompt_text=0x7fb3cef04690 "S/Key response or system password: ", 
    echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:247
#4  0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, 
    argc=0, argv=0x0) at pam_skey.c:144
#5  0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0
#6  0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0
#7  0x000000000040d90d in pam_verify (pw=0x631c20, 
    prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141
#8  0x000000000040d4ef in verify_user (pw=0x631c20, 
    prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187
#9  0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136
#10 0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, 
    envp=0x7fffd876f8f8) at ./sudo.c:431
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007fb3cef043bb in mod_talk_touser (pamh=0x634330, mod_opt=0, 
    info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", 
    prompt_text=0x7fb3cef04690 "S/Key response or system password: ", 
    echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:251
warning: Source file is more recent than executable.
251         _pam_delete(presponse->resp);
(gdb) bt full
#0  0x00007fb3cef043bb in mod_talk_touser (pamh=0x634330, mod_opt=0, 
    info_text=0x7fb3cef02340 "otp-md5 94 a1i155581", 
    prompt_text=0x7fb3cef04690 "S/Key response or system password: ", 
    echo_on=0, response=0x7fffd876f3f0) at pam_skey.c:251
        __xx__ = 0x1d07709b0 <Address 0x1d07709b0 out of bounds>
        message = {{msg_style = 4, 
    msg = 0x7fb3cef02340 "otp-md5 94 a1i155581"}, {msg_style = 1, 
    msg = 0x7fb3cef04690 "S/Key response or system password: "}}
        pmessage = {0x7fffd876f350, 0x7fffd876f360}
        conv = (struct pam_conv *) 0x6344f0
        presponse = (struct pam_response *) 0x0
        i = 2
#1  0x00007fb3cef03f08 in pam_sm_authenticate (pamh=0x634330, flags=32768, 
    argc=0, argv=0x0) at pam_skey.c:144
        challenge = 0x7fb3cef02340 "otp-md5 94 a1i155581"
        username = 0x6344d0 "ulm"
        response = 0x0
        status = 0
        mod_opt = 0
#2  0x00007fb3d0349ee9 in ?? () from /lib/libpam.so.0
No symbol table info available.
#3  0x00007fb3d03497c3 in pam_authenticate () from /lib/libpam.so.0
No symbol table info available.
#4  0x000000000040d90d in pam_verify (pw=0x631c20, 
    prompt=0x630970 "Password:", auth=0x629740) at ./auth/pam.c:141
        s = 0x7fffd876f510 "p\tc"
        pam_status = (int *) 0x629db0
#5  0x000000000040d4ef in verify_user (pw=0x631c20, 
    prompt=0x630970 "Password:") at ./auth/sudo_auth.c:187
        counter = 3
        success = 1
        status = 0
        flags = 0
        p = 0x630970 "Password:"
        auth = (sudo_auth *) 0x629740
        sa = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, 
  sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 268435456, 
  sa_restorer = 0}
        osa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, 
  sa_mask = {__val = {0, 140736825062768, 140410266840672, 6506352, 17, 
      140736825062768, 4337537, 140736825063096, 140410263823548, 18, 
      140410263776323, 4222451712, 6506352, 6506352, 6506352, 6506352}}, 
  sa_flags = 335544320, sa_restorer = 0x7fb3cfe177f0}
#6  0x000000000040e22c in check_user (validated=2, mode=1) at ./check.c:136
        timestampdir = 0x6340a0 "/var/run/sudo/ulm"
        timestampfile = 0x0
        prompt = 0x630970 "Password:"
        status = 2
#7  0x00000000004162e6 in main (argc=3, argv=0x7fffd876f8d8, 
    envp=0x7fffd876f8f8) at ./sudo.c:431
        sources = 1
        validated = 2
        fd = 32691
        cmnd_status = 1
        sudo_mode = 1
        pwflag = 0
        rc = 0
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, 
  sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 268435456, 
  sa_restorer = 0}
        nss = (struct sudo_nss *) 0x0
(gdb) list 239,253
239       /* Do conversation and see if all is OK */
240       if (pam_get_item(pamh, PAM_CONV, (const void **)(void *)&conv)
241           != PAM_SUCCESS)
242       {
243         LOGDEBUG((LOG_DEBUG, "error in conversation"));
244         return PAM_SERVICE_ERR;
245       }
246       /* Convert into pam_response */
247       if (conv->conv(i, (const struct pam_message **)pmessage, &presponse,
248             conv->appdata_ptr)
249         != PAM_SUCCESS)
250       {
251         _pam_delete(presponse->resp);
252         return PAM_SERVICE_ERR;
253       }

Looks like a NULL pointer check for presponse is missing.
Comment 3 Ulrich Müller gentoo-dev 2010-01-22 12:25:49 UTC 
Created attachment 217163 [details, diff]
pam-skey-1.1.5-presponse-segfault.patch

Does attached patch fix the problem for you?
Comment 4 Ulrich Müller gentoo-dev 2010-01-22 16:22:06 UTC 
Created attachment 217179 [details, diff]
pam-skey-1.1.5-presponse-segfault.patch

Updated patch, passes status from the conversation function to the caller.
Comment 5 Ulrich Müller gentoo-dev 2010-02-02 10:59:28 UTC 
(In reply to comment #4)
> Created an attachment (id=217179) [details]
> pam-skey-1.1.5-presponse-segfault.patch

*ping*

Can you test if this patch fixes the issue, please?
Comment 6 Ulrich Müller gentoo-dev 2010-02-05 21:09:48 UTC 
Should be fixed in -r1.
Comment 7 Timothy Stotts 2010-02-06 18:27:49 UTC 
(In reply to comment #6)
> Should be fixed in -r1.
> 

It no longer segfaults. Thanks.
Comment 8 Ulrich Müller gentoo-dev 2010-02-06 19:10:40 UTC 
Thank you for reporting this bug.