Bug 1291554 - lslogins crash when executed with buggy username
Summary: lslogins crash when executed with buggy username
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: util-linux
Version: 7.3
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: rc
: 7.3
Assignee: Karel Zak
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1203710 1289485 1313485 1317953
TreeView+ depends on / blocked
 
Reported: 2015-12-15 06:51 UTC by Mohit Agrawal
Modified: 2019-10-10 10:42 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1317953 (view as bug list)
Environment:
Last Closed: 2016-11-03 21:25:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2605 0 normal SHIPPED_LIVE Low: util-linux security, bug fix, and enhancement update 2016-11-03 12:13:26 UTC

Description Mohit Agrawal 2015-12-15 06:51:14 UTC 
Description of problem:
lslogins segfault when execute with buggy user name.

Version-Release number of selected component (if applicable):
util-linux-2.23.2-26.el7.x86_64


How reproducible:
Always
Steps to Reproduce:
1.Execute lslogins with buggy user name

Actual results:
lslogins abort due to scols_line_get_cell: Assertion `ln' failed and it is failed because user does not exist.

Expected results:

It should not segfault
Additional info:
Comment 1 Mohit Agrawal 2015-12-15 06:57:22 UTC 
Hi,

After checked the lslogins code it seems get_user_info is returned NULL if user does not exist and initially errno is 0


static struct lslogins_user *get_user_info(struct lslogins_control *ctl, const char *username)
{
        struct lslogins_user *user;
        struct passwd *pwd;
        struct group *grp;
        struct spwd *shadow;
        struct utmp *user_wtmp = NULL, *user_btmp = NULL;
        int n = 0;
        time_t time;
        uid_t uid;
        errno = 0;

        pwd = username ? getpwnam(username) : getpwent();
        if (!pwd)
                return NULL;

        .......
        .......

}

In function get_user to validate about error it is doing logical and with errno but if errno is 0 in that case the code path will not execute even user is NULL so it will return 0,It should check if user is NULL then should return -1.

static int get_user(struct lslogins_control *ctl, struct lslogins_user **user,const char *username)
    {
             *user = get_user_info(ctl, username);
             if (!*user && errno)
                     if (IS_REAL_ERRNO(errno))
                             return -1;
             return 0;
    }


I think after update above condition it will execute successfully.
Comment 3 Karel Zak 2015-12-15 10:41:18 UTC 
Fixed by upstream commit 123f0f5bf00635e5dd7e5cbc73f906bf2a0bed9c.

It would be probably nice to rebase all lslogins.c with the current upstream. There is many another bugfixes.
Comment 15 Terry Bowling 2016-04-04 12:23:56 UTC 
Does this also affect RHEL 6?  Should this be cloned?
Comment 16 Karel Zak 2016-04-04 14:21:21 UTC 
(In reply to Terry Bowling from comment #15)
> Does this also affect RHEL 6?  Should this be cloned?

The most fatal issues should be already fixed in RHEL6.8 (see bug #1215840), the last missing things for RHEL6 are nonsenses in --help output.
Comment 20 errata-xmlrpc 2016-11-03 21:25:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2605.html
Note You need to log in before you can comment on or make changes to this bug.