Bug 492981 - sudo NULL derefernce segfault
Summary: sudo NULL derefernce segfault
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Kopeček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 517000
TreeView+ depends on / blocked
 
Reported: 2009-03-31 02:03 UTC by Josh Bressers
Modified: 2009-08-20 14:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-20 14:05:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Josh Bressers 2009-03-31 02:03:45 UTC 
Mike McGrath reported a segfault in sudo to the Red Hat Security Response Team.

Upon investigating this, it turned out to be a NULL dereference crash, but we still don't like those in sudo.

Here are the details (I'm using the F10 srpm as my source here)

If you run sudo with the argument -u '#111' where the UID doesn't exist, it will segfault.

The command line for the below gdb session was:
(gdb) run -u '#111'

If I I break in runas_setgroups()

(gdb) frame
#0  runas_setgroups () at set_perms.c:431
431		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
(gdb) print *pw
$4 = {pw_name = 0x0, pw_passwd = 0x0, pw_uid = 111, pw_gid = 0, 
  pw_gecos = 0x0, pw_dir = 0x0, pw_shell = 0x0}

This is the result of code in sudo.c:1266 that creates a fake zeroed passwd structure.

The initgroups function does specify that the user argument cannot be NULL.
Comment 1 Daniel Kopeček 2009-08-20 14:05:30 UTC 
Fixed in the current version of sudo in F-10 (and also in F-11 and rawhide).
Note You need to log in before you can comment on or make changes to this bug.