Bug 436893 - pam segfaults on bad input in config file
pam segfaults on bad input in config file
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.8
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-10 19:04 EDT by David Tonhofer
Modified: 2008-03-27 09:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-27 09:01:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Tonhofer 2008-03-10 19:04:03 EDT
Description of problem:

pam segfaults on bad input 

We have a typo in "/etc/pam.d/su", an 'i' has been left at line 6:

-----------------
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth       sufficient   /lib/security/$ISA/pam_wheel.so debug trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
i# auth       required     /lib/security/$ISA/pam_wheel.so debug use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open
session    optional     /lib/security/$ISA/pam_xauth.so
-----------------

Executing 'su' then results in a segmentation fault. strace says:

-------------
munmap(0xb7d23000, 4096)                = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1098, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(4, "<11>Mar 11 00:01:41 su: PAM (su)"..., 55, MSG_NOSIGNAL) = 55
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
-------------

A problem with instruction lines should be handled differently than with
SIGSEGV. If the typo is removed, things are well.

Version-Release number of selected component (if applicable):

coreutils-5.2.1-31.7

How reproducible:

Always

See also bug #211756
Comment 1 Ondrej Vasik 2008-03-27 08:34:48 EDT
Thanks for report... similar situation as in #211756.
su is not seg faulting, libpam is ...

gdb reports:
Program received signal SIGSEGV, Segmentation fault.
0x006ec2cd in _pam_strCMP () from /lib/libpam.so.0

Same (or very similar) debian bug report seems to be in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330097

Can't reproduce on my Fedora and RHEL-4 coreutils, so the problem is most
probably not in su. Redirecting component to pam (libpam) as almost certain
cause of crash.
Comment 2 Tomas Mraz 2008-03-27 09:01:27 EDT
This is fixed in later Linux PAM releases (as of RHEL-5 and newer) by changes to
the pam config file parser. The crash is not a security issue because it is only
a NULL pointer dereference. It is also not a DoS because the error in config
file  would cause the authentication fail anyway (in the newer releases).

Note You need to log in before you can comment on or make changes to this bug.