Bug 1291554

Summary: lslogins crash when executed with buggy username
Product: Red Hat Enterprise Linux 7 Reporter: Mohit Agrawal <moagrawa>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: urgent    
Version: 7.3CC: fkrska, jscotka, kzak, mkolaja, snagar, tbowling
Target Milestone: rcKeywords: ZStream
Target Release: 7.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1317953 (view as bug list) Environment:
Last Closed: 2016-11-03 21:25:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1289485, 1313485, 1317953    

Description Mohit Agrawal 2015-12-15 06:51:14 UTC 
Description of problem:
lslogins segfault when execute with buggy user name.

Version-Release number of selected component (if applicable):
util-linux-2.23.2-26.el7.x86_64


How reproducible:
Always
Steps to Reproduce:
1.Execute lslogins with buggy user name

Actual results:
lslogins abort due to scols_line_get_cell: Assertion `ln' failed and it is failed because user does not exist.

Expected results:

It should not segfault
Additional info:
Comment 1 Mohit Agrawal 2015-12-15 06:57:22 UTC 
Hi,

After checked the lslogins code it seems get_user_info is returned NULL if user does not exist and initially errno is 0


static struct lslogins_user *get_user_info(struct lslogins_control *ctl, const char *username)
{
        struct lslogins_user *user;
        struct passwd *pwd;
        struct group *grp;
        struct spwd *shadow;
        struct utmp *user_wtmp = NULL, *user_btmp = NULL;
        int n = 0;
        time_t time;
        uid_t uid;
        errno = 0;

        pwd = username ? getpwnam(username) : getpwent();
        if (!pwd)
                return NULL;

        .......
        .......

}

In function get_user to validate about error it is doing logical and with errno but if errno is 0 in that case the code path will not execute even user is NULL so it will return 0,It should check if user is NULL then should return -1.

static int get_user(struct lslogins_control *ctl, struct lslogins_user **user,const char *username)
    {
             *user = get_user_info(ctl, username);
             if (!*user && errno)
                     if (IS_REAL_ERRNO(errno))
                             return -1;
             return 0;
    }


I think after update above condition it will execute successfully.
Comment 3 Karel Zak 2015-12-15 10:41:18 UTC 
Fixed by upstream commit 123f0f5bf00635e5dd7e5cbc73f906bf2a0bed9c.

It would be probably nice to rebase all lslogins.c with the current upstream. There is many another bugfixes.
Comment 15 Terry Bowling 2016-04-04 12:23:56 UTC 
Does this also affect RHEL 6?  Should this be cloned?
Comment 16 Karel Zak 2016-04-04 14:21:21 UTC 
(In reply to Terry Bowling from comment #15)
> Does this also affect RHEL 6?  Should this be cloned?

The most fatal issues should be already fixed in RHEL6.8 (see bug #1215840), the last missing things for RHEL6 are nonsenses in --help output.
Comment 20 errata-xmlrpc 2016-11-03 21:25:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2605.html