Bug 836556 - passwd segfaults if crypt() returns null
Summary: passwd segfaults if crypt() returns null
Alias: None
Product: Fedora
Classification: Fedora
Component: passwd
Version: 17
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-06-29 13:35 UTC by Milan Broz
Modified: 2013-03-01 04:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-07-11 23:58:46 UTC
Type: Bug

Attachments (Terms of Use)

Description Milan Broz 2012-06-29 13:35:19 UTC
Description of problem:
crypt() call can return NULL, if this happens, passwd fails.

Seen in fips mode (with buggy nss) but it can happen in other situations (ENOMEM).

Version-Release number of selected component (if applicable):
# rpm -q passwd pam

How reproducible:
Run with nss-3.13.4-3.fc17.x86_64 in fips mode and just change password

# passwd milan
Changing password for user milan.
New password: 
Retype new password: 
Segmentation fault (core dumped)

Core was generated by `passwd milan'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f385a85daa0 in __strncmp_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install audit-libs-2.2.1-1.fc17.x86_64 cracklib-2.8.18-3.fc17.x86_64 glib2-2.32.3-1.fc17.x86_64 glibc-2.15-37.fc17.x86_64 libffi-3.0.10-2.fc17.x86_64 libpwquality-1.1.1-1.fc17.x86_64 libselinux-2.1.10-3.fc17.x86_64 libuser-0.57.6-1.fc17.x86_64 nss-softokn-freebl-3.13.4-2.fc17.x86_64 popt-1.13-10.fc17.x86_64
(gdb) bt
#0  0x00007f385a85daa0 in __strncmp_sse42 () from /lib64/libc.so.6
#1  0x00007f3853670861 in create_password_hash (pamh=pamh@entry=0x7f385d7a3a60, password=0x7f385d7ac5e0 "m", ctrl=ctrl@entry=8395044, rounds=<optimized out>) at passverify.c:427
#2  0x00007f385366dc03 in pam_sm_chauthtok (pamh=0x7f385d7a3a60, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at pam_unix_passwd.c:798
#3  0x00007f385b5490c4 in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=0x7f385d7a96d0, flags=8192, pamh=0x7f385d7a3a60) at pam_dispatch.c:110
#4  _pam_dispatch (pamh=pamh@entry=0x7f385d7a3a60, flags=flags@entry=8192, choice=choice@entry=6) at pam_dispatch.c:407
#5  0x00007f385b54d3b2 in pam_chauthtok (pamh=0x7f385d7a3a60, flags=0) at pam_password.c:46
#6  0x00007f385c94be5e in main (argc=<optimized out>, argv=<optimized out>) at passwd.c:532
(gdb) frame 1
#1  0x00007f3853670861 in create_password_hash (pamh=pamh@entry=0x7f385d7a3a60, password=0x7f385d7ac5e0 "m", ctrl=ctrl@entry=8395044, rounds=<optimized out>) at passverify.c:427
427             if (strncmp(algoid, sp, strlen(algoid)) != 0) {
(gdb) list
422                      * attacks well enough. */
423     #ifdef HAVE_CRYPT_GENSALT_R
424             }
425     #endif
426             sp = crypt(password, salt);
427             if (strncmp(algoid, sp, strlen(algoid)) != 0) {
428                     /* libxcrypt/libc doesn't know the algorithm, use MD5 */
429                     pam_syslog(pamh, LOG_ERR,
430                                "Algo %s not supported by the crypto backend, "
431                                "falling back to MD5\n",
(gdb) p sp
$1 = 0x0

(Well, perhaps pam bug...)

Comment 1 Fedora Update System 2012-06-29 19:49:04 UTC
pam-1.1.5-7.fc17 has been submitted as an update for Fedora 17.

Comment 2 Fedora Update System 2012-06-30 22:03:00 UTC
Package pam-1.1.5-7.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam-1.1.5-7.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 3 Fedora Update System 2012-07-11 23:58:46 UTC
pam-1.1.5-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.