Bug 1701092

Summary: segfault when using pam passthru and addn plugins together
Product: Red Hat Enterprise Linux 7 Reporter: Scott Nicholas <scott.a.nicholas4.ctr>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: low Docs Contact:
Priority: high    
Version: 7.6CC: ebock, lkrispen, msauton, nkinder, pasik, rmeggins, scott.a.nicholas4.ctr, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: ZStream
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-8.el7 Doc Type: Bug Fix
Doc Text:
Cause: Using PAM plugin and Addn plugin in Directory Server. Consequence: The server can crash when deferenceing a NULL DN pointer. Fix: Check for NULL before dereferencing the normalized DN pointer. Result: The server does not crash.
 Story Points: ---
Clone Of:
: 1718184 1721912 (view as bug list) Environment:
Last Closed: 2019-08-06 12:59:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1718184, 1721912    

Description Scott Nicholas 2019-04-18 03:40:27 UTC 
Description of problem:

A device I have only does LDAP auth to Active Directory. Therefore I have configured the PAM passthru plugin and addn plugin to dirsrv. I then setup pam to use pam_radius_auth, but I don't think that is required to reproduce this. If an attempt is made to bind to a dn that doesn't exist, ns-slapd segfaults:

kernel: ns-slapd[26414]: segfault at 0 ip 00007ff0e692a91d sp 00007ff0d12df6c0 error 4 in libpam-passthru-plugin.so[7ff0e6925000+8000]

Version-Release number of selected component (if applicable):

389-ds-base-1.3.8.4-23.el7.x86_64

How reproducible:

100% once minimal configuration made on fresh install of ipa-server with 389-ds-base.

Steps to Reproduce:
1. configure addn plugin per https://www.port389.org/docs/389ds/howto/howto-addn.html
2. configure pam passthru per https://directory.fedoraproject.org/docs/389ds/howto/howto-pam-pass-through.html
3. attempt to ldapsearch -D 'bob' (or any nonexistant user)

Actual results:
ldapsearch fails that server is unavailable

Expected results:
query results.

Additional info:

gdb output -- 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1988700 (LWP 27086)]
0x00007fffe5fd091d in pam_passthru_bindpreop (pb=0x5555572f9980) at ldap/servers/plugins/pam_passthru/pam_ptpreop.c:439
439         if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||


the non-pam ldap/servers/plugins/passthru/ptpreop.c does this:

   121      normbinddn = slapi_sdn_get_dn(sdn);
   122      if (normbinddn == NULL) {
   123          normbinddn = "";
   124      }

but looks like pam_passthru has no NULL check. I am so far successful using this patch:

[root@kdc1 SOURCES]# cat 0024-Fix-pam-passthrough.patch
diff -ru a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c   2018-06-21 12:55:37.000000000 -0400
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c   2019-04-17 22:55:25.847280405 -0400
@@ -436,8 +436,8 @@
      * We only handle simple bind requests that include non-NULL binddn and
      * credentials.  Let the Directory Server itself handle everything else.
      */
-    if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
-        (creds->bv_len == 0)) {
+    if ((method != LDAP_AUTH_SIMPLE) || (normbinddn == NULL) ||
+        (*normbinddn == '\0') || (creds->bv_len == 0)) {
         slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
                       "pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n");
         return retcode;
Comment 2 mreynolds 2019-05-20 19:12:28 UTC 
Fixed upstream
Comment 7 Viktor Ashirov 2019-06-21 13:32:12 UTC 
============================================================================ test session starts =============================================================================
platform linux -- Python 3.6.3, pytest-4.6.3, py-1.8.0, pluggy-0.12.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
389-ds-base: 1.3.9.1-10.el7
nss: 3.44.0-4.el7
nspr: 4.21.0-1.el7
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
collected 1 item                                                                                                                                                             

dirsrvtests/tests/suites/plugins/regression_test.py::test_crash_in_pam_pta_plugin_when_user_doesnt_exist PASSED                                                        [100%]

=================================================================== 1 passed, 3 warnings in 19.65 seconds ====================================================================
Comment 9 errata-xmlrpc 2019-08-06 12:59:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152