Bug 1545976

Summary: Coverity uncovered several issues in pam_pkcs11 that should be addressed.
Product: Red Hat Enterprise Linux 7 Reporter: Bob Relyea <rrelyea>
Component: pam_pkcs11Assignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: rpattath
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam_pkcs11-0.6.2-29.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:35:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bob Relyea 2018-02-16 00:33:05 UTC 
Buffer overflow:

pam_pkcs11-0.6.2/src/common/strings.c:173: alloc_strlen: Allocating insufficient memory for the terminating null of the string. 
pam_pkcs11-0.6.2/src/common/cert_info.c:238: overrun-local: Overrunning array "results" of 16 8-byte elements at element index 16 (byte offset 128) using index "i" (which evaluates to 16). 
------------------------------------------------
Invalid Dereference:

pam_pkcs11-0.6.2/src/tools/pkcs11_setup.c:88: var_deref_op: Dereferencing null pointer "item". 
pam_pkcs11-0.6.2/src/tools/pkcs11_setup.c:58: var_deref_op: Dereferencing null pointer "item". 
pam_pkcs11-0.6.2/src/common/cert_info.c:238: overrun-local: Overrunning array "results" of 16 8-byte elements at element index 16 (byte offset 128) using index "i" (which evaluates to 16). 

-----------------------------
Use after free:

pam_pkcs11-0.6.2/src/common/uri.c:392: deref_after_free: Dereferencing freed pointer "info". 
return is missing in the error path.
-----------------------------------

Dead code:
 Defect type: UNREACHABLE
1. pam_pkcs11-0.6.2/src/pam_pkcs11/pam_pkcs11.c:682: unreachable: This code cannot be reached: "memset(password, 0, strlen(...".
#   680|   
#   681|       /* quick and dirty fail exit point */
#   682|->     memset(password, 0, strlen(password));
#   683|       free(password); /* erase and free in-memory password data */
#   684|   
Expand
   * Code block just needs to be removed.
-------------------------------------------------


Compiler warnings:

1. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/tools/pklogin_finder.c:129:18: warning: initialization discards 'const' qualifier from pointer target type [enabled by default]
Expand
2. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/tools/pkcs11_listcerts.c:125:16: warning: initialization discards 'const' qualifier from pointer target type [enabled by default]
Expand
3. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/tools/pkcs11_inspect.c:130:18: warning: initialization discards 'const' qualifier from pointer target type [enabled by default]
Expand

1. pam_pkcs11-0.6.2/src/pam_pkcs11/pam_pkcs11.c:651:5: warning: field precision specifier '.*' expects argument of type 'int', but argument 4 has type 'long unsigned int' [-Wformat=]
Expand
11. Defect type: COMPILER_WARNING
1. pam_pkcs11-0.6.2/src/pam_pkcs11/pam_pkcs11.c:631:5: warning: field precision specifier '.*' expects argument of type 'int', but argument 4 has type 'long unsigned int' [-Wformat=]
Expand
12. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/pam_pkcs11/pam_pkcs11.c:615:5: warning: field precision specifier '.*' expects argument of type 'int', but argument 4 has type 'long unsigned int' [-Wformat=]
Expand
16. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/mappers/ldap_mapper.c:845:3: warning: pointer targets in passing argument 1 of 'ldap_encode_escapes' differ in signedness [-Wpointer-sign]
Expand
20. Defect type: COMPILER_WARNING
1. pam_pkcs11-0.6.2/src/common/cert_info.c:236:20: warning: assignment discards 'const' qualifier from pointer target type [enabled by default]
Expand
21. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/common/cert_info.c:234:28: warning: assignment discards 'const' qualifier from pointer target type [enabled by default]
Expand
22. Defect type: COMPILER_WARNING
2. pam_pkcs11-0.6.2/src/common/algorithm.c:56:5: warning: return discards 'const' qualifier from pointer target type [enabled by default]
Comment 3 Bob Relyea 2018-06-21 17:45:02 UTC 
fixed in pam_pkcs11-0.6.2-29.el7
Comment 5 Roshni 2018-08-01 15:18:31 UTC 
[root@dhcp129-188 ~]# rpm -qi pam_pkcs11
Name        : pam_pkcs11
Version     : 0.6.2
Release     : 30.el7
Architecture: x86_64
Install Date: Tue 31 Jul 2018 10:10:59 AM EDT
Group       : System Environment/Base
Size        : 1101020
License     : LGPLv2+
Signature   : RSA/SHA256, Fri 22 Jun 2018 12:41:17 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pam_pkcs11-0.6.2-30.el7.src.rpm
Build Date  : Thu 21 Jun 2018 07:47:56 PM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.opensc-project.org/pam_pkcs11
Summary     : PKCS #11/NSS PAM login module

Coverity scan passed on the errata for this build.
Comment 7 errata-xmlrpc 2018-10-30 11:35:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3258