Bug 492981 - sudo NULL derefernce segfault
sudo NULL derefernce segfault
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: sudo (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Kopeček
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 517000
  Show dependency treegraph
 
Reported: 2009-03-30 22:03 EDT by Josh Bressers
Modified: 2009-08-20 10:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-20 10:05:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2009-03-30 22:03:45 EDT
Mike McGrath reported a segfault in sudo to the Red Hat Security Response Team.

Upon investigating this, it turned out to be a NULL dereference crash, but we still don't like those in sudo.

Here are the details (I'm using the F10 srpm as my source here)

If you run sudo with the argument -u '#111' where the UID doesn't exist, it will segfault.

The command line for the below gdb session was:
(gdb) run -u '#111'

If I I break in runas_setgroups()

(gdb) frame
#0  runas_setgroups () at set_perms.c:431
431		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
(gdb) print *pw
$4 = {pw_name = 0x0, pw_passwd = 0x0, pw_uid = 111, pw_gid = 0, 
  pw_gecos = 0x0, pw_dir = 0x0, pw_shell = 0x0}

This is the result of code in sudo.c:1266 that creates a fake zeroed passwd structure.

The initgroups function does specify that the user argument cannot be NULL.
Comment 1 Daniel Kopeček 2009-08-20 10:05:30 EDT
Fixed in the current version of sudo in F-10 (and also in F-11 and rawhide).

Note You need to log in before you can comment on or make changes to this bug.