Bug 990311

Summary: pam_ldap module leaks memory when changing password
Product: Red Hat Enterprise Linux 6 Reporter: David Rennalls <david_rennalls>
Component: pam_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: jhrozek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 20:14:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test program
none
Proposed patch none

Description David Rennalls 2013-07-30 20:58:20 UTC 
Created attachment 780838 [details]
Test program

Description of problem:
from http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv
The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction.

When a module calls the referenced conv() function, the argument appdata_ptr is set to the second element of this structure.

The other arguments of a call to conv() concern the information exchanged by module and application. That is to say, num_msg holds the length of the array of pointers, msg. After a successful return, the pointer resp points to an array of pam_response structures, holding the application supplied text. The resp_retcode member of this struct is unused and should be set to zero. It is the caller's responsibility to release both, this array and the responses themselves, using free(3). Note, *resp is a struct pam_response array and not an array of pointers.

The number of responses is always equal to the num_msg conversation function argument. This does require that the response array is free(3)'d after every call to the conversation function. The index of the responses corresponds directly to the prompt index in the pam_message array.

On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes.

........


The "caller" of the conversation function in this case is the pam_ldap module. It's not releasing memory that's allocated in our conversation function as it should. 

Version-Release number of selected component (if applicable):
pam_ldap-185-11.el6.i686.rpm

How reproducible:
Always

Steps to Reproduce:
1. Add a user to openldap
[root@here ~]# cat user.ldif
dn: cn=John Smith,ou=Users,dc=test,dc=local
cn: John Smith
objectClass: person
objectClass: inetOrgPerson
sn: Smith
uid: smithj

[root@here ~]# sudo ldapadd -x -D  cn=root,dc=test,dc=local -W -f user.ldif
Enter LDAP Password:
adding new entry "cn=John Smith,ou=Users,dc=test,dc=local"

2. Compile and run test program under valgrind
gcc -o chpass chpass.c -lpam
valgrind --leak-check=yes ./chpass smithj password

Actual results:
[root@here ~]# valgrind --leak-check=yes ./chpass smithj password
==17461== Memcheck, a memory error detector
==17461== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==17461== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==17461== Command: ./chpass smithj password
==17461==
PAM sucessfully started
==17461== Use of uninitialised value of size 4
==17461==    at 0x46A72AE: pam_sm_chauthtok (pam_ldap.c:2651)
==17461==    by 0x404043E: _pam_dispatch (pam_dispatch.c:110)
==17461==    by 0x4044832: pam_chauthtok (pam_password.c:46)
==17461==    by 0x8048C55: main (chpass.c:113)
==17461==
LDAP password information changed for smithj
Succesful call to pam_chauthok: 0
==17461==
==17461== HEAP SUMMARY:
==17461==     in use at exit: 18,739 bytes in 145 blocks
==17461==   total heap usage: 2,517 allocs, 2,372 frees, 216,462 bytes allocated
==17461==
==17461== 8 bytes in 1 blocks are definitely lost in loss record 14 of 77
==17461==    at 0x4026011: calloc (vg_replace_malloc.c:593)
==17461==    by 0x8048826: converse (chpass.c:31)
==17461==    by 0x46A0902: _conv_sendmsg (pam_ldap.c:3462)
==17461==    by 0x46A6BE2: pam_sm_chauthtok (pam_ldap.c:3986)
==17461==    by 0x404043E: _pam_dispatch (pam_dispatch.c:110)
==17461==    by 0x4044832: pam_chauthtok (pam_password.c:46)
==17461==    by 0x8048C55: main (chpass.c:113)
==17461==
==17461== 9 bytes in 1 blocks are definitely lost in loss record 15 of 77
==17461==    at 0x4027282: malloc (vg_replace_malloc.c:270)
==17461==    by 0x40C541F: strdup (strdup.c:43)
==17461==    by 0x80488F7: converse (chpass.c:43)
==17461==    by 0x46A61E1: pam_sm_chauthtok (pam_ldap.c:3851)
==17461==    by 0x404043E: _pam_dispatch (pam_dispatch.c:110)
==17461==    by 0x4044832: pam_chauthtok (pam_password.c:46)
==17461==    by 0x8048C55: main (chpass.c:113)
==17461==
==17461== 9 bytes in 1 blocks are definitely lost in loss record 16 of 77
==17461==    at 0x4027282: malloc (vg_replace_malloc.c:270)
==17461==    by 0x40C541F: strdup (strdup.c:43)
==17461==    by 0x80488F7: converse (chpass.c:43)
==17461==    by 0x46A626F: pam_sm_chauthtok (pam_ldap.c:3901)
==17461==    by 0x404043E: _pam_dispatch (pam_dispatch.c:110)
==17461==    by 0x4044832: pam_chauthtok (pam_password.c:46)
==17461==    by 0x8048C55: main (chpass.c:113)
==17461==
==17461== LEAK SUMMARY:
==17461==    definitely lost: 26 bytes in 3 blocks
==17461==    indirectly lost: 0 bytes in 0 blocks
==17461==      possibly lost: 0 bytes in 0 blocks
==17461==    still reachable: 18,713 bytes in 142 blocks
==17461==         suppressed: 0 bytes in 0 blocks
==17461== Reachable blocks (those to which a pointer was found) are not shown.
==17461== To see them, rerun with: --leak-check=full --show-reachable=yes
==17461==
==17461== For counts of detected and suppressed errors, rerun with: -v
==17461== Use --track-origins=yes to see where uninitialised values come from
==17461== ERROR SUMMARY: 11 errors from 4 contexts (suppressed: 130 from 13)


Expected results:
No leaks

Additional info:
Comment 1 David Rennalls 2013-07-30 21:01:24 UTC 
Created attachment 780841 [details]
Proposed patch

..leak report when running with the proposed patch
[root@here ~]# valgrind --leak-check=yes ./chpass smithj password
==19607== Memcheck, a memory error detector
==19607== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==19607== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==19607== Command: ./chpass smithj password
==19607==
PAM sucessfully started
==19607== Use of uninitialised value of size 4
==19607==    at 0x46A724A: pam_sm_chauthtok (in /root/lib/security/pam_ldap.so)
==19607==    by 0x404043E: _pam_dispatch (pam_dispatch.c:110)
==19607==    by 0x4044832: pam_chauthtok (pam_password.c:46)
==19607==    by 0x8048C55: main (chpass.c:113)
==19607==
LDAP password information changed for smithj
Succesful call to pam_chauthok: 0
==19607==
==19607== HEAP SUMMARY:
==19607==     in use at exit: 18,713 bytes in 142 blocks
==19607==   total heap usage: 2,517 allocs, 2,375 frees, 216,462 bytes allocated
==19607==
==19607== LEAK SUMMARY:
==19607==    definitely lost: 0 bytes in 0 blocks
==19607==    indirectly lost: 0 bytes in 0 blocks
==19607==      possibly lost: 0 bytes in 0 blocks
==19607==    still reachable: 18,713 bytes in 142 blocks
==19607==         suppressed: 0 bytes in 0 blocks
==19607== Reachable blocks (those to which a pointer was found) are not shown.
==19607== To see them, rerun with: --leak-check=full --show-reachable=yes
==19607==
==19607== For counts of detected and suppressed errors, rerun with: -v
==19607== Use --track-origins=yes to see where uninitialised values come from
==19607== ERROR SUMMARY: 8 errors from 1 contexts (suppressed: 130 from 13)
Comment 3 RHEL Program Management 2013-10-13 23:19:14 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Jakub Hrozek 2016-07-19 20:14:56 UTC 
Thank you for the bug report.

Since RHEL-6 is transitioning to production phase 2 where only urgent and high priority bugs are being fixed, I'm going to close this issue as WONTFIX.

I would suggest to migrate to SSSD going forward.