Bug 436893 - pam segfaults on bad input in config file
Summary: pam segfaults on bad input in config file
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-10 23:04 UTC by David Tonhofer
Modified: 2008-03-27 13:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-27 13:01:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description David Tonhofer 2008-03-10 23:04:03 UTC 
Description of problem:

pam segfaults on bad input 

We have a typo in "/etc/pam.d/su", an 'i' has been left at line 6:

-----------------
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth       sufficient   /lib/security/$ISA/pam_wheel.so debug trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
i# auth       required     /lib/security/$ISA/pam_wheel.so debug use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open
session    optional     /lib/security/$ISA/pam_xauth.so
-----------------

Executing 'su' then results in a segmentation fault. strace says:

-------------
munmap(0xb7d23000, 4096)                = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(4, "<11>Mar 11 00:01:41 su: PAM (su)"..., 55, MSG_NOSIGNAL) = 55
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
-------------

A problem with instruction lines should be handled differently than with
SIGSEGV. If the typo is removed, things are well.

Version-Release number of selected component (if applicable):

coreutils-5.2.1-31.7

How reproducible:

Always

See also bug #211756
Comment 1 Ondrej Vasik 2008-03-27 12:34:48 UTC 
Thanks for report... similar situation as in #211756.
su is not seg faulting, libpam is ...

gdb reports:
Program received signal SIGSEGV, Segmentation fault.
0x006ec2cd in _pam_strCMP () from /lib/libpam.so.0

Same (or very similar) debian bug report seems to be in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330097

Can't reproduce on my Fedora and RHEL-4 coreutils, so the problem is most
probably not in su. Redirecting component to pam (libpam) as almost certain
cause of crash.
Comment 2 Tomas Mraz 2008-03-27 13:01:27 UTC 
This is fixed in later Linux PAM releases (as of RHEL-5 and newer) by changes to
the pam config file parser. The crash is not a security issue because it is only
a NULL pointer dereference. It is also not a DoS because the error in config
file  would cause the authentication fail anyway (in the newer releases).
Note You need to log in before you can comment on or make changes to this bug.