Red Hat Bugzilla – Bug 994626
sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f4ae2d10ec0 ***
Last modified: 2015-03-02 00:27:59 EST
Description of problem: Version-Release number of selected component (if applicable): RHEL 6.4 sudo 1.8.6p3 How reproducible: Steps to Reproduce: 1.from root execute sudo -u <user> sudo -l to show the sudo list of that user 2. 3. Actual results: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f2ddd90bc10 ** * ======= Backtrace: ========= /lib64/libc.so.6(+0x3d39e760e6)[0x7f2ddab9c0e6] /lib64/libc.so.6(+0x3d39e7bae7)[0x7f2ddaba1ae7] /lib64/libc.so.6(realloc+0xe5)[0x7f2ddaba1ca5] /usr/libexec/sudoers.so(+0x2d8b3)[0x7f2dd486b8b3] /usr/libexec/sudoers.so(+0x2e4b9)[0x7f2dd486c4b9] /usr/libexec/sudoers.so(+0x152f1)[0x7f2dd48532f1] /usr/libexec/sudoers.so(+0x12c34)[0x7f2dd4850c34] /usr/libexec/sudoers.so(+0x1349f)[0x7f2dd485149f] sudo(+0xe708)[0x7f2ddb92b708] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f2ddab44cdd] sudo(+0x3f59)[0x7f2ddb920f59] ======= Memory map: ======== 7f2dcfeb1000-7f2dcfec7000 r-xp 00000000 08:03 43 /lib64/ libgcc_s-4.4.7-20120601.so.1 7f2dcfec7000-7f2dd00c6000 ---p 00016000 08:03 43 /lib64/ libgcc_s-4.4.7-20120601.so.1 7f2dd00c6000-7f2dd00c7000 rw-p 00015000 08:03 43 /lib64/ libgcc_s-4.4.7-20120601.so.1 7f2dd00c7000-7f2dd00cb000 r-xp 00000000 08:03 230 /lib64/ security/pam_limits.so 7f2dd00cb000-7f2dd02ca000 ---p 00004000 08:03 230 /lib64/ security/pam_limits.so 7f2dd02ca000-7f2dd02cb000 r--p 00003000 08:03 230 /lib64/ security/pam_limits.so 7f2dd02cb000-7f2dd02cc000 rw-p 00004000 08:03 230 /lib64/ security/pam_limits.so 7f2dd02cc000-7f2dd02ce000 r-xp 00000000 08:03 228 /lib64/ security/pam_keyinit.so 7f2dd02ce000-7f2dd04cd000 ---p 00002000 08:03 228 /lib64/ security/pam_keyinit.so 7f2dd04cd000-7f2dd04ce000 r--p 00001000 08:03 228 /lib64/ security/pam_keyinit.so 7f2dd04ce000-7f2dd04cf000 rw-p 00002000 08:03 228 /lib64/ security/pam_keyinit.so 7f2dd04cf000-7f2dd04d7000 r-xp 00000000 08:03 137130 /usr/li b64/libcrack.so.2.8.1 7f2dd04d7000-7f2dd06d7000 ---p 00008000 08:03 137130 /usr/li b64/libcrack.so.2.8.1 7f2dd06d7000-7f2dd06d8000 rw-p 00008000 08:03 137130 /usr/li b64/libcrack.so.2.8.1 7f2dd06d8000-7f2dd06dc000 rw-p 00000000 00:00 0 7f2dd06e6000-7f2dd06e9000 r-xp 00000000 08:03 214 /lib64/ security/pam_cracklib.so 7f2dd06e9000-7f2dd08e8000 ---p 00003000 08:03 214 /lib64/ security/pam_cracklib.so 7f2dd08e8000-7f2dd08e9000 r--p 00002000 08:03 214 /lib64/ security/pam_cracklib.so 7f2dd08e9000-7f2dd08ea000 rw-p 00003000 08:03 214 /lib64/ security/pam_cracklib.so 7f2dd08ea000-7f2dd08eb000 r-xp 00000000 08:03 239 /lib64/ security/pam_permit.so 7f2dd08eb000-7f2dd0aea000 ---p 00001000 08:03 239 /lib64/ security/pam_permit.so 7f2dd0aea000-7f2dd0aeb000 r--p 00000000 08:03 239 /lib64/ security/pam_permit.so 7f2dd0aeb000-7f2dd0aec000 rw-p 00001000 08:03 239 /lib64/ security/pam_permit.so 7f2dd0aec000-7f2dd0aed000 r-xp 00000000 08:03 232 /lib64/ security/pam_localuser.so 7f2dd0aed000-7f2dd0ced000 ---p 00001000 08:03 232 /lib64/ security/pam_localuser.so 7f2dd0ced000-7f2dd0cee000 r--p 00001000 08:03 232 /lib64/ security/pam_localuser.so 7f2dd0cee000-7f2dd0cef000 rw-p 00002000 08:03 232 /lib64/ security/pam_localuser.so 7f2dd0cef000-7f2dd0cf0000 r-xp 00000000 08:03 216 /lib64/ security/pam_deny.so 7f2dd0cf0000-7f2dd0eef000 ---p 00001000 08:03 216 /lib64/ security/pam_deny.so 7f2dd0eef000-7f2dd0ef0000 r--p 00000000 08:03 216 /lib64/ security/pam_deny.so 7f2dd0ef0000-7f2dd0ef1000 rw-p 00001000 08:03 216 /lib64/ security/pam_deny.so 7f2dd0ef1000-7f2dd0ef4000 r-xp 00000000 08:03 250 /lib64/ security/pam_succeed_if.so 7f2dd0ef4000-7f2dd10f3000 ---p 00003000 08:03 250 /lib64/ security/pam_succeed_if.so 7f2dd10f3000-7f2dd10f4000 r--p 00002000 08:03 250 /lib64/ security/pam_succeed_if.so 7f2dd10f4000-7f2dd10f5000 rw-p 00003000 08:03 250 /lib64/ security/pam_succeed_if.so 7f2dd10f5000-7f2dd110b000 r-xp 00000000 08:03 520 /lib64/ libnsl-2.12.so 7f2dd110b000-7f2dd130a000 ---p 00016000 08:03 520 /lib64/ libnsl-2.12.so 7f2dd130a000-7f2dd130b000 r--p 00015000 08:03 520 /lib64/ libnsl-2.12.so 7f2dd130b000-7f2dd130c000 rw-p 00016000 08:03 520 /lib64/ libnsl-2.12.so 7f2dd130c000-7f2dd130e000 rw-p 00000000 00:00 0 7f2dd130e000-7f2dd131a000 r-xp 00000000 08:03 256 /lib64/ security/pam_unix.so 7f2dd131a000-7f2dd1519000 ---p 0000c000 08:03 256 /lib64/ security/pam_unix.so 7f2dd1519000-7f2dd151a000 r--p 0000b000 08:03 256 /lib64/ security/pam_unix.so 7f2dd151a000-7f2dd151b000 rw-p 0000c000 08:03 256 /lib64/ security/pam_unix.so 7f2dd151b000-7f2dd1527000 rw-p 00000000 00:00 0 7f2dd1527000-7f2dd160b000 r-xp 00000000 08:03 288 /lib64/ libglib-2.0.so.0.2200.5 7f2dd160b000-7f2dd180a000 ---p 000e4000 08:03 288 /lib64/ libglib-2.0.so.0.2200.5 7f2dd180a000-7f2dd180c000 rw-p 000e3000 08:03 288 /lib64/ libglib-2.0.so.0.2200.5 7f2dd180c000-7f2dd184f000 r-xp 00000000 08:03 112 /lib64/ libgobject-2.0.so.0.2200.5 7f2dd184f000-7f2dd1a4f000 ---p 00043000 08:03 112 /lib64/ libgobject-2.0.so.0.2200.5 7f2dd1a4f000-7f2dd1a51000 rw-p 00043000 08:03 112 /lib64/ libgobject-2.0.so.0.2200.5 7f2dd1a51000-7f2dd1a58000 r-xp 00000000 08:03 286 /lib64/ librt-2.12.so 7f2dd1a58000-7f2dd1c57000 ---p 00007000 08:03 286 /lib64/ librt-2.12.so 7f2dd1c57000-7f2dd1c58000 r--p 00006000 08:03 286 /lib64/ librt-2.12.so 7f2dd1c58000-7f2dd1c59000 rw-p 00007000 08:03 286 /lib64/ librt-2.12.so 7f2dd1c59000-7f2dd1c99000 r-xp 00000000 08:03 459 /lib64/ libdbus-1.so.3.4.0 7f2dd1c99000-7f2dd1e98000 ---p 00040000 08:03 459 /lib64/ libdbus-1.so.3.4.0 7f2dd1e98000-7f2dd1e99000 r--p 0003f000 08:03 459 /lib64/ Expected results: sudo list of that user Additional info:
I can't reproduce this bug. Could you please attach your sudoers file? I've tested these use cases: ------------------ # sudo -U dkopecek -l User dkopecek is not allowed to run sudo on rhws. # ------------------ # sudo -u dkopecek sudo -l [sudo] password for dkopecek: Sorry, user dkopecek may not run sudo on rhws. # ------------------ ... and the same with some rules in sudoers ... ------------------ # sudo -U dkopecek -l Matching Defaults entries for dkopecek on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dkopecek may run the following commands on this host: (ALL) /bin/true # ------------------ # sudo -u dkopecek sudo -l [sudo] password for dkopecek: Matching Defaults entries for dkopecek on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dkopecek may run the following commands on this host: (ALL) /bin/true ------------------
Thanks, I've reproduced the crash with your sudoers file. Here's the backtrace: #0 0x00007fb86923ec55 in raise () from /lib64/libc.so.6 #1 0x00007fb869240408 in abort () from /lib64/libc.so.6 #2 0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6 #3 0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6 #4 0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6 #5 0x00007fb869288b55 in realloc () from /lib64/libc.so.6 #6 0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>) at ./alloc.c:144 #7 0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157 #8 0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284 #9 0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0) at ./sudoers.c:539 #10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, verbose=0, list_user=0x0) at ./sudoers.c:815 #11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, argv=0x7fff65aec478, argc=0) at ./sudo.c:1215 #12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) ---Type <return> to continue, or q <return> to quit--- at ./sudo.c:253 (gdb)
full bt: (gdb) bt full #0 0x00007fb86923ec55 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x00007fb869240408 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6 No symbol table info available. #3 0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6 No symbol table info available. #4 0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6 No symbol table info available. #5 0x00007fb869288b55 in realloc () from /lib64/libc.so.6 No symbol table info available. #6 0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>) at ./alloc.c:144 No locals. #7 0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157 ap = {{gp_offset = 16, fp_offset = 32696, overflow_arg_area = 0x7fff65aebfb0, reg_save_area = 0x7fff65aebf40}} len = 1 s = 0x0 __func__ = "lbuf_append" ---Type <return> to continue, or q <return> to quit--- #8 0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284 nss = 0x0 defs = {output = 0x7fb8627791d0 <output>, buf = 0x7fb86a5c7340 "Matching Defaults entries for bworks on this host:\n !visiblepw, always_set_home, umask=0002, !lecture, !env_reset, secure_path=/usr/local/broadworks/swmanager/bin\\:/usr/local/broadworks/patchtool/b"..., continuation = 0x0, indent = 4, len = 524, size = 768, cols = 146} privs = {output = 0x7fb8627791d0 <output>, buf = 0x0, continuation = 0x0, indent = 4, len = 0, size = 0, cols = 146} sb = {st_dev = 10, st_ino = 6, st_nlink = 1, st_mode = 8592, st_uid = 1000, st_gid = 5, __pad0 = 0, st_rdev = 34819, st_size = 0, st_blksize = 1024, st_blocks = 0, st_atim = {tv_sec = 1376314840, tv_nsec = 882985085}, st_mtim = {tv_sec = 1376314840, tv_nsec = 882985085}, st_ctim = {tv_sec = 1376310207, tv_nsec = 882985085}, __unused = {0, 0, 0}} cols = <optimized out> count = 6 olen = <optimized out> __func__ = "display_privs" #9 0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, ---Type <return> to continue, or q <return> to quit--- argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0) at ./sudoers.c:539 command_info = {0x0 <repeats 32 times>} edit_argv = 0x0 nss = <optimized out> cmnd_status = <optimized out> validated = 130 info_len = 0 rval = 0 __func__ = "sudoers_policy_main" #10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, verbose=0, list_user=0x0) at ./sudoers.c:815 rval = <optimized out> __func__ = "sudoers_policy_list" #11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, argv=0x7fff65aec478, argc=0) at ./sudo.c:1215 sudo_debug_rval = <optimized out> sudo_debug_subsys = 448 #12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ./sudo.c:253 nargc = 0 ok = <optimized out> ---Type <return> to continue, or q <return> to quit--- exitcode = 0 nargv = 0x7fff65aec478 settings = 0x7fb86a5a6bd0 env_add = <optimized out> user_info = 0x7fb86a5a5050 command_info = <optimized out> argv_out = <optimized out> user_env_out = <optimized out> plugin = <optimized out> next = <optimized out> command_details = {uid = 16, euid = 0, gid = 1764290082, egid = 32696, umask = 2, priority = 0, timeout = 1771962294, ngroups = 32696, closefrom = 0, flags = 0, pw = 0x7fb8699d2de9 <set_selinuxmnt+9>, groups = 0x7fff65aec468, command = 0x7fb8699ce2bc <verify_selinuxmnt+124> "\353\350f\220AV\277\036", cwd = 0x1000 <Address 0x1000 out of bounds>, login_class = 0x1000 <Address 0x1000 out of bounds>, chroot = 0x0, selinux_role = 0x0, selinux_type = 0x0, utmp_user = 0x0, argv = 0x0, envp = 0x0} mask = {__val = {0 <repeats 16 times>}} __func__ = "main"
The bug is in the lbuf_append_quoted function: --- lbuf.c~ 2012-09-18 15:56:28.000000000 +0200 +++ lbuf.c 2013-08-12 17:01:02.335470715 +0200 -100,7 +100,7 @@ if (lbuf->len + (len * 2) + 1 >= lbuf->size) { do { lbuf->size += 256; - } while (lbuf->len + len + 1 >= lbuf->size); + } while (lbuf->len + (len * 2) + 1 >= lbuf->size); lbuf->buf = erealloc(lbuf->buf, lbuf->size); } if (*fmt == '%') { and it looks like this is already fixed upstream by refactoring the code that expands the buffer: http://www.sudo.ws/repos/sudo/raw-rev/6283ee562ef4
Created attachment 785762 [details] proposed patch
Upstream fixed this in 1.7 too after the report on their mailing list: http://www.sudo.ws/repos/sudo/rev/be4d8b83d203
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1701.html