Bug 994626
| Summary: | sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f4ae2d10ec0 *** | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | jzhang | ||||
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | David Spurek <dspurek> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 6.4 | CC: | dapospis, dspurek, ebenes, jzhang, ksrot, mvadkert, pvrabec, qe-baseos-security | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sudo-1.8.6p3-8.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
An error in a loop condition in the rule listing code.
Consequence:
Overflow of a dynamically growing buffer in certain cases.
Fix:
Fixed the condition.
Result:
No overflow. Reallocation of the buffer is done correctly.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1026894 (view as bug list) | Environment: | |||||
| Last Closed: | 2013-11-21 23:14:32 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1026894 | ||||||
| Attachments: |
|
||||||
|
Description
jzhang
2013-08-07 16:13:19 UTC
I can't reproduce this bug. Could you please attach your sudoers file?
I've tested these use cases:
------------------
# sudo -U dkopecek -l
User dkopecek is not allowed to run sudo on rhws.
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek:
Sorry, user dkopecek may not run sudo on rhws.
#
------------------
... and the same with some rules in sudoers ...
------------------
# sudo -U dkopecek -l
Matching Defaults entries for dkopecek on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User dkopecek may run the following commands on this host:
(ALL) /bin/true
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek:
Matching Defaults entries for dkopecek on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User dkopecek may run the following commands on this host:
(ALL) /bin/true
------------------
Thanks, I've reproduced the crash with your sudoers file. Here's the backtrace:
#0 0x00007fb86923ec55 in raise () from /lib64/libc.so.6
#1 0x00007fb869240408 in abort () from /lib64/libc.so.6
#2 0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
#3 0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
#4 0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
#5 0x00007fb869288b55 in realloc () from /lib64/libc.so.6
#6 0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
at ./alloc.c:144
#7 0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0,
fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
#8 0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>,
pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
#9 0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0,
argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52,
env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0,
argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
at ./sudoers.c:539
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478,
verbose=0, list_user=0x0) at ./sudoers.c:815
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>,
plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0,
argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
---Type <return> to continue, or q <return> to quit---
at ./sudo.c:253
(gdb)
full bt:
(gdb) bt full
#0 0x00007fb86923ec55 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007fb869240408 in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3 0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4 0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
No symbol table info available.
#5 0x00007fb869288b55 in realloc () from /lib64/libc.so.6
No symbol table info available.
#6 0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
at ./alloc.c:144
No locals.
#7 0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0,
fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
ap = {{gp_offset = 16, fp_offset = 32696,
overflow_arg_area = 0x7fff65aebfb0,
reg_save_area = 0x7fff65aebf40}}
len = 1
s = 0x0
__func__ = "lbuf_append"
---Type <return> to continue, or q <return> to quit---
#8 0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>,
pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
nss = 0x0
defs = {output = 0x7fb8627791d0 <output>,
buf = 0x7fb86a5c7340 "Matching Defaults entries for bworks on this host:\n !visiblepw, always_set_home, umask=0002, !lecture, !env_reset, secure_path=/usr/local/broadworks/swmanager/bin\\:/usr/local/broadworks/patchtool/b"..., continuation = 0x0, indent = 4, len = 524, size = 768, cols = 146}
privs = {output = 0x7fb8627791d0 <output>, buf = 0x0,
continuation = 0x0, indent = 4, len = 0, size = 0, cols = 146}
sb = {st_dev = 10, st_ino = 6, st_nlink = 1, st_mode = 8592,
st_uid = 1000, st_gid = 5, __pad0 = 0, st_rdev = 34819, st_size = 0,
st_blksize = 1024, st_blocks = 0, st_atim = {tv_sec = 1376314840,
tv_nsec = 882985085}, st_mtim = {tv_sec = 1376314840,
tv_nsec = 882985085}, st_ctim = {tv_sec = 1376310207,
tv_nsec = 882985085}, __unused = {0, 0, 0}}
cols = <optimized out>
count = 6
olen = <optimized out>
__func__ = "display_privs"
#9 0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0,
argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52,
env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0,
---Type <return> to continue, or q <return> to quit---
argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
at ./sudoers.c:539
command_info = {0x0 <repeats 32 times>}
edit_argv = 0x0
nss = <optimized out>
cmnd_status = <optimized out>
validated = 130
info_len = 0
rval = 0
__func__ = "sudoers_policy_main"
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478,
verbose=0, list_user=0x0) at ./sudoers.c:815
rval = <optimized out>
__func__ = "sudoers_policy_list"
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>,
plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0,
argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
sudo_debug_rval = <optimized out>
sudo_debug_subsys = 448
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
at ./sudo.c:253
nargc = 0
ok = <optimized out>
---Type <return> to continue, or q <return> to quit---
exitcode = 0
nargv = 0x7fff65aec478
settings = 0x7fb86a5a6bd0
env_add = <optimized out>
user_info = 0x7fb86a5a5050
command_info = <optimized out>
argv_out = <optimized out>
user_env_out = <optimized out>
plugin = <optimized out>
next = <optimized out>
command_details = {uid = 16, euid = 0, gid = 1764290082, egid = 32696,
umask = 2, priority = 0, timeout = 1771962294, ngroups = 32696,
closefrom = 0, flags = 0, pw = 0x7fb8699d2de9 <set_selinuxmnt+9>,
groups = 0x7fff65aec468,
command = 0x7fb8699ce2bc <verify_selinuxmnt+124> "\353\350f\220AV\277\036", cwd = 0x1000 <Address 0x1000 out of bounds>,
login_class = 0x1000 <Address 0x1000 out of bounds>, chroot = 0x0,
selinux_role = 0x0, selinux_type = 0x0, utmp_user = 0x0, argv = 0x0,
envp = 0x0}
mask = {__val = {0 <repeats 16 times>}}
__func__ = "main"
The bug is in the lbuf_append_quoted function:
--- lbuf.c~ 2012-09-18 15:56:28.000000000 +0200
+++ lbuf.c 2013-08-12 17:01:02.335470715 +0200
-100,7 +100,7 @@
if (lbuf->len + (len * 2) + 1 >= lbuf->size) {
do {
lbuf->size += 256;
- } while (lbuf->len + len + 1 >= lbuf->size);
+ } while (lbuf->len + (len * 2) + 1 >= lbuf->size);
lbuf->buf = erealloc(lbuf->buf, lbuf->size);
}
if (*fmt == '%') {
and it looks like this is already fixed upstream by refactoring the code that expands the buffer:
http://www.sudo.ws/repos/sudo/raw-rev/6283ee562ef4
Created attachment 785762 [details]
proposed patch
Upstream fixed this in 1.7 too after the report on their mailing list: http://www.sudo.ws/repos/sudo/rev/be4d8b83d203 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1701.html |