Bug 438844

Summary: buffer overflow in audit_log_user_command
Product: Red Hat Enterprise Linux 5 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: ebenes
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHEA-2008-0358 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 440275    

Description Steve Grubb 2008-03-25 16:02:21 UTC 
+++ This bug was initially created as a clone of Bug #438840 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us)
AppleWebKit/525.13 (KHTML, like Gecko) Version/3.1 Safari/525.13

Description of problem:
[joe@rawhide src2]$ sudo yum -c repos/build-yum.conf localinstall
Linux_i386/BUILD/repo/*rpm

*** buffer overflow detected ***: sudo terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x29e768]
/lib/libc.so.6[0x29c880]
/lib/libc.so.6(__strcpy_chk+0x44)[0x29bb54]
/lib/libaudit.so.0(audit_log_user_command+0x1f8)[0x319f68]
sudo[0xb7f2da4d]
sudo(main+0x882)[0xb7f20fa2]
/lib/libc.so.6(__libc_start_main+0xe6)[0x1bb606]
sudo[0xb7f19d31]
======= Memory map: ========
00110000-0012f000 r-xp 00000000 08:02 6128329    /lib/ld-2.7.90.so
0012f000-00130000 r--p 0001e000 08:02 6128329    /lib/ld-2.7.90.so
00130000-00131000 rw-p 0001f000 08:02 6128329    /lib/ld-2.7.90.so
00131000-00132000 r-xp 00131000 00:00 0          [vdso]
00132000-0014c000 r-xp 00000000 08:02 6128112    /lib/libselinux.so.1
0014c000-0014d000 r--p 00019000 08:02 6128112    /lib/libselinux.so.1
0014d000-0014e000 rw-p 0001a000 08:02 6128112    /lib/libselinux.so.1
0014e000-00151000 r-xp 00000000 08:02 6128347    /lib/libcap.so.2.06
00151000-00152000 rw-p 00003000 08:02 6128347    /lib/libcap.so.2.06
00152000-0015d000 r-xp 00000000 08:02 6127799    /lib/libpam.so.0.81.10
0015d000-0015e000 rw-p 0000a000 08:02 6127799    /lib/libpam.so.0.81.10
0015e000-00161000 r-xp 00000000 08:02 6128333    /lib/libdl-2.7.90.so
00161000-00162000 r--p 00002000 08:02 6128333    /lib/libdl-2.7.90.so
00162000-00163000 rw-p 00003000 08:02 6128333    /lib/libdl-2.7.90.so
00163000-001a3000 r-xp 00000000 08:02 23068816   /usr/lib/libldap-2.4.so.2.0.4
001a3000-001a5000 rw-p 0003f000 08:02 23068816   /usr/lib/libldap-2.4.so.2.0.4
001a5000-0030f000 r-xp 00000000 08:02 6128330    /lib/libc-2.7.90.so
0030f000-00311000 r--p 0016a000 08:02 6128330    /lib/libc-2.7.90.so
00311000-00312000 rw-p 0016c000 08:02 6128330    /lib/libc-2.7.90.so
00312000-00315000 rw-p 00312000 00:00 0 
00315000-00329000 r-xp 00000000 08:02 6127769    /lib/libaudit.so.0.0.0
00329000-0032a000 r--p 00013000 08:02 6127769    /lib/libaudit.so.0.0.0
0032a000-0032b000 rw-p 00014000 08:02 6127769    /lib/libaudit.so.0.0.0
0032b000-00339000 r-xp 00000000 08:02 20717071   /usr/lib/liblber-2.4.so.2.0.4
00339000-0033a000 rw-p 0000d000 08:02 20717071   /usr/lib/liblber-2.4.so.2.0.4
0033a000-0034b000 r-xp 00000000 08:02 6128331    /lib/libresolv-2.7.90.so
0034b000-0034c000 r--p 00010000 08:02 6128331    /lib/libresolv-2.7.90.so
0034c000-0034d000 rw-p 00011000 08:02 6128331    /lib/libresolv-2.7.90.so
0034d000-0034f000 rw-p 0034d000 00:00 0 
0034f000-00367000 r-xp 00000000 08:02 20717024   /usr/lib/libsasl2.so.2.0.22
00367000-00368000 rw-p 00017000 08:02 20717024   /usr/lib/libsasl2.so.2.0.22
00368000-003af000 r-xp 00000000 08:02 6128205    /lib/libssl.so.0.9.8g
003af000-003b3000 rw-p 00046000 08:02 6128205    /lib/libssl.so.0.9.8g
003b3000-004ea000 r-xp 00000000 08:02 6127727    /lib/libcrypto.so.0.9.8g
004ea000-004fe000 rw-p 00136000 08:02 6127727    /lib/libcrypto.so.0.9.8g
004fe000-00501000 rw-p 004fe000 00:00 0 
00501000-0050b000 r-xp 00000000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050b000-0050c000 r--p 00009000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050c000-0050d000 rw-p 0000a000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050d000-00534000 rw-p 0050d000 00:00 0 
00534000-00561000 r-xp 00000000 08:02 23068795   /usr/lib/libgssapi_krb5.so.2.2
00561000-00563000 rw-p 0002d000 08:02 23068795   /usr/lib/libgssapi_krb5.so.2.2
00563000-00600000 r-xp 00000000 08:02 23068794   /usr/lib/libkrb5.so.3.3
00600000-00603000 rw-p 0009c000 08:02 23068794   /usr/lib/libkrb5.so.3.3
00603000-00605000 r-xp 00000000 08:02 6128204    /lib/libcom_err.so.2.1
00605000-00606000 rw-p 00001000 08:02 6128204    /lib/libcom_err.so.2.1
00606000-0062a000 r-xp 00000000 08:02 23068793   /usr/lib/libk5crypto.so.3.1
0062a000-0062b000 rw-p 00024000 08:02 23068793   /usr/lib/libk5crypto.so.3.1
0062b000-0063e000 r-xp 00000000 08:02 6127832    /lib/libz.so.1.2.3
0063e000-0063f000 rw-p 00012000 08:02 6127832    /lib/libz.so.1.2.3
0063f000-00647000 r-xp 00000000 08:02 23068792   /usr/lib/libkrb5support.so.0.1
00647000-00648000 rw-p 00007000 08:02 23068792   /usr/lib/libkrb5support.so.0.1
00648000-0064a000 r-xp 00000000 08:02 6128349    /lib/libkeyutils-1.2.so
0064a000-0064b000 rw-p 00001000 08:02 6128349    /lib/libkeyutils-1.2.so
0064b000-00656000 r-xp 00000000 08:02 6127737    /lib/libnss_files-2.7.90.so
00656000-00657000 r--p 0000a000 08:02 6127737    /lib/libnss_files-2.7.90.so
00657000-00658000 rw-p 0000b000 08:02 6127737    /lib/libnss_files-2.7.90.so
00658000-00665000 r-xp 00000000 08:02 6128116    /lib/libgcc_s-4.3.0-20080314.so.1
00665000-00666000 rw-p 0000c000 08:02 6128116    /lib/libgcc_s-4.3.0-20080314.so.1
b7cff000-b7eff000 r--p 00000000 08:02 20715806   /usr/lib/locale/locale-archive
b7eff000-b7f05000 rw-p b7eff000 00:00 0 
b7f0f000-b7f16000 r--s 00000000 08:02 20744117   /usr/lib/gconv/gconv-modules.cache
b7f16000-b7f39000 r-xp 00000000 08:02 20720623   /usr/bin/sudo
b7f39000-b7f3a000 rw-p 00023000 08:02 20720623   /usr/bin/sudo
b7f3a000-b7f3d000 rw-p b7f3a000 00:00 0 
b9949000-b996a000 rw-p b9949000 00:00 0          [heap]
bfd20000-bfd38000 rw-p bffe8000 00:00 0          [stack]
Aborted
[joe@rawhide src2]$ 



Version-Release number of selected component (if applicable):
audit-libs-devel-1.6.9-1.fc9.i386

How reproducible:
Always


Steps to Reproduce:
sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm

with a few hundred rpms

Actual Results:
Backtrace

Expected Results:
rpm install

Additional info:
New behavior. Big update last night that did not include any audit components.
Prior to the update, this was not happening. Prior rawhide sync was on the 20th,
after which this problem did not occur.

sudo-1.6.9p13-3.fc9.i386 was installed last night. Perhaps the change was there.

-- Additional comment from sgrubb on 2008-03-25 11:37 EST --
Sudo was recently updated to log actions run. It looks like the number of args
exceeded what was expected. I'll add the fix in a new version of audit that I'm
working on right now.
Comment 5 Steve Grubb 2008-04-01 20:46:23 UTC 
A problem was reported with the fix on this bug.
Comment 10 Steve Grubb 2008-04-15 14:42:50 UTC 
The fix for this bug is incomplete. It does not overflow anymore, but its not
right. As it currently is, if there are no spaces in the command, meaning no
arguments given, then it records the cwd rather than the command. I have a patch
that corrects this.
Comment 12 Eduard Benes 2008-04-18 11:07:19 UTC 
Confirming issue mentioned in comment #10. Running the command without 
arguments, sets tu cwd to cmd. And this is not good, the command is lost.

# rpm -q audit sudo
audit-1.6.5-8.el5.x86_64
sudo-1.6.8p12-12.el5.x86_64

# sudo ls
 ...
# sudo ls -l
 ...
# ausearch --start recent -m USER_CMD -i
----
type=USER_CMD msg=audit(04/18/2008 06:59:41.953:18958) : user pid=18081
uid=root auid=root subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps
cmd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps (terminal=pts/13
res=success)' 
---- 
type=USER_CMD msg=audit(04/18/2008
07:00:07.471:18974) : user pid=18093 uid=root auid=root
subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps cmd=/bin/ls -l
(terminal=pts/13 res=success)'
Comment 13 Steve Grubb 2008-04-20 21:24:06 UTC 
audit-1.6.5-9.el5 was built to re-address this problem.
Comment 17 errata-xmlrpc 2008-05-21 14:32:54 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0358.html