994626 – sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f4ae2d10ec0 ***

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 994626 - sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f4ae2d10ec0 ***

Summary: sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sudo
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Kopeček
QA Contact:	David Spurek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1026894
TreeView+	depends on / blocked

Reported:	2013-08-07 16:13 UTC by jzhang
Modified:	2015-03-02 05:27 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sudo-1.8.6p3-8.el6
Doc Type:	Bug Fix
Doc Text:	Cause: An error in a loop condition in the rule listing code. Consequence: Overflow of a dynamically growing buffer in certain cases. Fix: Fixed the condition. Result: No overflow. Reallocation of the buffer is done correctly.
Clone Of:
Clones:	1026894 (view as bug list)
Environment:
Last Closed:	2013-11-21 23:14:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
proposed patch (3.47 KB, patch) 2013-08-12 15:40 UTC, Daniel Kopeček	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1701	0	normal	SHIPPED_LIVE	Low: sudo security, bug fix and enhancement update	2013-11-20 21:52:06 UTC

Description jzhang 2013-08-07 16:13:19 UTC

Description of problem:

Version-Release number of selected component (if applicable):
RHEL 6.4
sudo 1.8.6p3


How reproducible:


Steps to Reproduce:
1.from root execute sudo -u <user> sudo -l to show the sudo list of that user
2.
3.

Actual results:
*** glibc detected *** sudo: realloc(): invalid next size: 0x00007f2ddd90bc10 **                                                                                     *
======= Backtrace: =========
/lib64/libc.so.6(+0x3d39e760e6)[0x7f2ddab9c0e6]
/lib64/libc.so.6(+0x3d39e7bae7)[0x7f2ddaba1ae7]
/lib64/libc.so.6(realloc+0xe5)[0x7f2ddaba1ca5]
/usr/libexec/sudoers.so(+0x2d8b3)[0x7f2dd486b8b3]
/usr/libexec/sudoers.so(+0x2e4b9)[0x7f2dd486c4b9]
/usr/libexec/sudoers.so(+0x152f1)[0x7f2dd48532f1]
/usr/libexec/sudoers.so(+0x12c34)[0x7f2dd4850c34]
/usr/libexec/sudoers.so(+0x1349f)[0x7f2dd485149f]
sudo(+0xe708)[0x7f2ddb92b708]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f2ddab44cdd]
sudo(+0x3f59)[0x7f2ddb920f59]
======= Memory map: ========
7f2dcfeb1000-7f2dcfec7000 r-xp 00000000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dcfec7000-7f2dd00c6000 ---p 00016000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dd00c6000-7f2dd00c7000 rw-p 00015000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dd00c7000-7f2dd00cb000 r-xp 00000000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd00cb000-7f2dd02ca000 ---p 00004000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02ca000-7f2dd02cb000 r--p 00003000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02cb000-7f2dd02cc000 rw-p 00004000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02cc000-7f2dd02ce000 r-xp 00000000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd02ce000-7f2dd04cd000 ---p 00002000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04cd000-7f2dd04ce000 r--p 00001000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04ce000-7f2dd04cf000 rw-p 00002000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04cf000-7f2dd04d7000 r-xp 00000000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd04d7000-7f2dd06d7000 ---p 00008000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd06d7000-7f2dd06d8000 rw-p 00008000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd06d8000-7f2dd06dc000 rw-p 00000000 00:00 0
7f2dd06e6000-7f2dd06e9000 r-xp 00000000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd06e9000-7f2dd08e8000 ---p 00003000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08e8000-7f2dd08e9000 r--p 00002000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08e9000-7f2dd08ea000 rw-p 00003000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08ea000-7f2dd08eb000 r-xp 00000000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd08eb000-7f2dd0aea000 ---p 00001000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aea000-7f2dd0aeb000 r--p 00000000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aeb000-7f2dd0aec000 rw-p 00001000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aec000-7f2dd0aed000 r-xp 00000000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0aed000-7f2dd0ced000 ---p 00001000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0ced000-7f2dd0cee000 r--p 00001000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0cee000-7f2dd0cef000 rw-p 00002000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0cef000-7f2dd0cf0000 r-xp 00000000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0cf0000-7f2dd0eef000 ---p 00001000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0eef000-7f2dd0ef0000 r--p 00000000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0ef0000-7f2dd0ef1000 rw-p 00001000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0ef1000-7f2dd0ef4000 r-xp 00000000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd0ef4000-7f2dd10f3000 ---p 00003000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f3000-7f2dd10f4000 r--p 00002000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f4000-7f2dd10f5000 rw-p 00003000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f5000-7f2dd110b000 r-xp 00000000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd110b000-7f2dd130a000 ---p 00016000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130a000-7f2dd130b000 r--p 00015000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130b000-7f2dd130c000 rw-p 00016000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130c000-7f2dd130e000 rw-p 00000000 00:00 0
7f2dd130e000-7f2dd131a000 r-xp 00000000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd131a000-7f2dd1519000 ---p 0000c000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd1519000-7f2dd151a000 r--p 0000b000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd151a000-7f2dd151b000 rw-p 0000c000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd151b000-7f2dd1527000 rw-p 00000000 00:00 0
7f2dd1527000-7f2dd160b000 r-xp 00000000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd160b000-7f2dd180a000 ---p 000e4000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd180a000-7f2dd180c000 rw-p 000e3000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd180c000-7f2dd184f000 r-xp 00000000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd184f000-7f2dd1a4f000 ---p 00043000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd1a4f000-7f2dd1a51000 rw-p 00043000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd1a51000-7f2dd1a58000 r-xp 00000000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1a58000-7f2dd1c57000 ---p 00007000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c57000-7f2dd1c58000 r--p 00006000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c58000-7f2dd1c59000 rw-p 00007000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c59000-7f2dd1c99000 r-xp 00000000 08:03 459                        /lib64/                                                                                     libdbus-1.so.3.4.0
7f2dd1c99000-7f2dd1e98000 ---p 00040000 08:03 459                        /lib64/                                                                                     libdbus-1.so.3.4.0
7f2dd1e98000-7f2dd1e99000 r--p 0003f000 08:03 459                        /lib64/                      

Expected results:
sudo list of that user

Additional info:

Comment 2 Daniel Kopeček 2013-08-09 10:46:20 UTC

I can't reproduce this bug. Could you please attach your sudoers file?

I've tested these use cases:
------------------
# sudo -U dkopecek -l
User dkopecek is not allowed to run sudo on rhws.
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek: 
Sorry, user dkopecek may not run sudo on rhws.
#
------------------
... and the same with some rules in sudoers ...

------------------
# sudo -U dkopecek -l
Matching Defaults entries for dkopecek on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dkopecek may run the following commands on this host:
    (ALL) /bin/true
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek: 
Matching Defaults entries for dkopecek on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dkopecek may run the following commands on this host:
    (ALL) /bin/true
------------------

Comment 4 Daniel Kopeček 2013-08-12 13:53:15 UTC

Thanks, I've reproduced the crash with your sudoers file. Here's the backtrace:

#0  0x00007fb86923ec55 in raise () from /lib64/libc.so.6
#1  0x00007fb869240408 in abort () from /lib64/libc.so.6
#2  0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
#3  0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
#5  0x00007fb869288b55 in realloc () from /lib64/libc.so.6
#6  0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
    at ./alloc.c:144
#7  0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, 
    fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
#8  0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, 
    pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
#9  0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, 
    argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, 
    env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, 
    argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
    at ./sudoers.c:539
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, 
    verbose=0, list_user=0x0) at ./sudoers.c:815
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, 
    plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, 
    argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at ./sudo.c:253
(gdb)

Comment 5 Daniel Kopeček 2013-08-12 13:54:06 UTC

full bt:

(gdb) bt full
#0  0x00007fb86923ec55 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fb869240408 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
No symbol table info available.
#5  0x00007fb869288b55 in realloc () from /lib64/libc.so.6
No symbol table info available.
#6  0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
    at ./alloc.c:144
No locals.
#7  0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, 
    fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
        ap = {{gp_offset = 16, fp_offset = 32696, 
            overflow_arg_area = 0x7fff65aebfb0, 
            reg_save_area = 0x7fff65aebf40}}
        len = 1
        s = 0x0
        __func__ = "lbuf_append"
---Type <return> to continue, or q <return> to quit---
#8  0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, 
    pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
        nss = 0x0
        defs = {output = 0x7fb8627791d0 <output>, 
          buf = 0x7fb86a5c7340 "Matching Defaults entries for bworks on this host:\n    !visiblepw, always_set_home, umask=0002, !lecture, !env_reset, secure_path=/usr/local/broadworks/swmanager/bin\\:/usr/local/broadworks/patchtool/b"..., continuation = 0x0, indent = 4, len = 524, size = 768, cols = 146}
        privs = {output = 0x7fb8627791d0 <output>, buf = 0x0, 
          continuation = 0x0, indent = 4, len = 0, size = 0, cols = 146}
        sb = {st_dev = 10, st_ino = 6, st_nlink = 1, st_mode = 8592, 
          st_uid = 1000, st_gid = 5, __pad0 = 0, st_rdev = 34819, st_size = 0, 
          st_blksize = 1024, st_blocks = 0, st_atim = {tv_sec = 1376314840, 
            tv_nsec = 882985085}, st_mtim = {tv_sec = 1376314840, 
            tv_nsec = 882985085}, st_ctim = {tv_sec = 1376310207, 
            tv_nsec = 882985085}, __unused = {0, 0, 0}}
        cols = <optimized out>
        count = 6
        olen = <optimized out>
        __func__ = "display_privs"
#9  0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, 
    argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, 
    env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, 
---Type <return> to continue, or q <return> to quit---
    argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
    at ./sudoers.c:539
        command_info = {0x0 <repeats 32 times>}
        edit_argv = 0x0
        nss = <optimized out>
        cmnd_status = <optimized out>
        validated = 130
        info_len = 0
        rval = 0
        __func__ = "sudoers_policy_main"
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, 
    verbose=0, list_user=0x0) at ./sudoers.c:815
        rval = <optimized out>
        __func__ = "sudoers_policy_list"
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, 
    plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, 
    argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
        sudo_debug_rval = <optimized out>
        sudo_debug_subsys = 448
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ./sudo.c:253
        nargc = 0
        ok = <optimized out>
---Type <return> to continue, or q <return> to quit---
        exitcode = 0
        nargv = 0x7fff65aec478
        settings = 0x7fb86a5a6bd0
        env_add = <optimized out>
        user_info = 0x7fb86a5a5050
        command_info = <optimized out>
        argv_out = <optimized out>
        user_env_out = <optimized out>
        plugin = <optimized out>
        next = <optimized out>
        command_details = {uid = 16, euid = 0, gid = 1764290082, egid = 32696, 
          umask = 2, priority = 0, timeout = 1771962294, ngroups = 32696, 
          closefrom = 0, flags = 0, pw = 0x7fb8699d2de9 <set_selinuxmnt+9>, 
          groups = 0x7fff65aec468, 
          command = 0x7fb8699ce2bc <verify_selinuxmnt+124> "\353\350f\220AV\277\036", cwd = 0x1000 <Address 0x1000 out of bounds>, 
          login_class = 0x1000 <Address 0x1000 out of bounds>, chroot = 0x0, 
          selinux_role = 0x0, selinux_type = 0x0, utmp_user = 0x0, argv = 0x0, 
          envp = 0x0}
        mask = {__val = {0 <repeats 16 times>}}
        __func__ = "main"

Comment 6 Daniel Kopeček 2013-08-12 15:33:28 UTC

The bug is in the lbuf_append_quoted function:

--- lbuf.c~	2012-09-18 15:56:28.000000000 +0200
+++ lbuf.c	2013-08-12 17:01:02.335470715 +0200
 -100,7 +100,7 @@
 	if (lbuf->len + (len * 2) + 1 >= lbuf->size) {
 	    do {
 		lbuf->size += 256;
-	    } while (lbuf->len + len + 1 >= lbuf->size);
+	    } while (lbuf->len + (len * 2) + 1 >= lbuf->size);
 	    lbuf->buf = erealloc(lbuf->buf, lbuf->size);
 	}
 	if (*fmt == '%') {

and it looks like this is already fixed upstream by refactoring the code that expands the buffer:

 http://www.sudo.ws/repos/sudo/raw-rev/6283ee562ef4

Comment 7 Daniel Kopeček 2013-08-12 15:40:04 UTC

Created attachment 785762 [details]
proposed patch

Comment 8 Daniel Kopeček 2013-08-13 10:24:56 UTC

Upstream fixed this in 1.7 too after the report on their mailing list:

 http://www.sudo.ws/repos/sudo/rev/be4d8b83d203

Comment 14 errata-xmlrpc 2013-11-21 23:14:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1701.html

Note You need to log in before you can comment on or make changes to this bug.