Bug 994626 - sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): invalid next size: 0x00007f4ae2d10ec0 ***
Summary: sudo -u <user> sudo -l show error: *** glibc detected *** sudo: realloc(): i...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sudo
Version: 6.4
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: David Spurek
URL:
Whiteboard:
Depends On:
Blocks: 1026894
TreeView+ depends on / blocked
 
Reported: 2013-08-07 16:13 UTC by jzhang
Modified: 2015-03-02 05:27 UTC (History)
8 users (show)

Fixed In Version: sudo-1.8.6p3-8.el6
Doc Type: Bug Fix
Doc Text:
Cause: An error in a loop condition in the rule listing code. Consequence: Overflow of a dynamically growing buffer in certain cases. Fix: Fixed the condition. Result: No overflow. Reallocation of the buffer is done correctly.
Clone Of:
: 1026894 (view as bug list)
Environment:
Last Closed: 2013-11-21 23:14:32 UTC


Attachments (Terms of Use)
proposed patch (3.47 KB, patch)
2013-08-12 15:40 UTC, Daniel Kopeček
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1701 normal SHIPPED_LIVE Low: sudo security, bug fix and enhancement update 2013-11-20 21:52:06 UTC

Description jzhang 2013-08-07 16:13:19 UTC
Description of problem:

Version-Release number of selected component (if applicable):
RHEL 6.4
sudo 1.8.6p3


How reproducible:


Steps to Reproduce:
1.from root execute sudo -u <user> sudo -l to show the sudo list of that user
2.
3.

Actual results:
*** glibc detected *** sudo: realloc(): invalid next size: 0x00007f2ddd90bc10 **                                                                                     *
======= Backtrace: =========
/lib64/libc.so.6(+0x3d39e760e6)[0x7f2ddab9c0e6]
/lib64/libc.so.6(+0x3d39e7bae7)[0x7f2ddaba1ae7]
/lib64/libc.so.6(realloc+0xe5)[0x7f2ddaba1ca5]
/usr/libexec/sudoers.so(+0x2d8b3)[0x7f2dd486b8b3]
/usr/libexec/sudoers.so(+0x2e4b9)[0x7f2dd486c4b9]
/usr/libexec/sudoers.so(+0x152f1)[0x7f2dd48532f1]
/usr/libexec/sudoers.so(+0x12c34)[0x7f2dd4850c34]
/usr/libexec/sudoers.so(+0x1349f)[0x7f2dd485149f]
sudo(+0xe708)[0x7f2ddb92b708]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f2ddab44cdd]
sudo(+0x3f59)[0x7f2ddb920f59]
======= Memory map: ========
7f2dcfeb1000-7f2dcfec7000 r-xp 00000000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dcfec7000-7f2dd00c6000 ---p 00016000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dd00c6000-7f2dd00c7000 rw-p 00015000 08:03 43                         /lib64/                                                                                     libgcc_s-4.4.7-20120601.so.1
7f2dd00c7000-7f2dd00cb000 r-xp 00000000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd00cb000-7f2dd02ca000 ---p 00004000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02ca000-7f2dd02cb000 r--p 00003000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02cb000-7f2dd02cc000 rw-p 00004000 08:03 230                        /lib64/                                                                                     security/pam_limits.so
7f2dd02cc000-7f2dd02ce000 r-xp 00000000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd02ce000-7f2dd04cd000 ---p 00002000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04cd000-7f2dd04ce000 r--p 00001000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04ce000-7f2dd04cf000 rw-p 00002000 08:03 228                        /lib64/                                                                                     security/pam_keyinit.so
7f2dd04cf000-7f2dd04d7000 r-xp 00000000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd04d7000-7f2dd06d7000 ---p 00008000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd06d7000-7f2dd06d8000 rw-p 00008000 08:03 137130                     /usr/li                                                                                     b64/libcrack.so.2.8.1
7f2dd06d8000-7f2dd06dc000 rw-p 00000000 00:00 0
7f2dd06e6000-7f2dd06e9000 r-xp 00000000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd06e9000-7f2dd08e8000 ---p 00003000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08e8000-7f2dd08e9000 r--p 00002000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08e9000-7f2dd08ea000 rw-p 00003000 08:03 214                        /lib64/                                                                                     security/pam_cracklib.so
7f2dd08ea000-7f2dd08eb000 r-xp 00000000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd08eb000-7f2dd0aea000 ---p 00001000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aea000-7f2dd0aeb000 r--p 00000000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aeb000-7f2dd0aec000 rw-p 00001000 08:03 239                        /lib64/                                                                                     security/pam_permit.so
7f2dd0aec000-7f2dd0aed000 r-xp 00000000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0aed000-7f2dd0ced000 ---p 00001000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0ced000-7f2dd0cee000 r--p 00001000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0cee000-7f2dd0cef000 rw-p 00002000 08:03 232                        /lib64/                                                                                     security/pam_localuser.so
7f2dd0cef000-7f2dd0cf0000 r-xp 00000000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0cf0000-7f2dd0eef000 ---p 00001000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0eef000-7f2dd0ef0000 r--p 00000000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0ef0000-7f2dd0ef1000 rw-p 00001000 08:03 216                        /lib64/                                                                                     security/pam_deny.so
7f2dd0ef1000-7f2dd0ef4000 r-xp 00000000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd0ef4000-7f2dd10f3000 ---p 00003000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f3000-7f2dd10f4000 r--p 00002000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f4000-7f2dd10f5000 rw-p 00003000 08:03 250                        /lib64/                                                                                     security/pam_succeed_if.so
7f2dd10f5000-7f2dd110b000 r-xp 00000000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd110b000-7f2dd130a000 ---p 00016000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130a000-7f2dd130b000 r--p 00015000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130b000-7f2dd130c000 rw-p 00016000 08:03 520                        /lib64/                                                                                     libnsl-2.12.so
7f2dd130c000-7f2dd130e000 rw-p 00000000 00:00 0
7f2dd130e000-7f2dd131a000 r-xp 00000000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd131a000-7f2dd1519000 ---p 0000c000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd1519000-7f2dd151a000 r--p 0000b000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd151a000-7f2dd151b000 rw-p 0000c000 08:03 256                        /lib64/                                                                                     security/pam_unix.so
7f2dd151b000-7f2dd1527000 rw-p 00000000 00:00 0
7f2dd1527000-7f2dd160b000 r-xp 00000000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd160b000-7f2dd180a000 ---p 000e4000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd180a000-7f2dd180c000 rw-p 000e3000 08:03 288                        /lib64/                                                                                     libglib-2.0.so.0.2200.5
7f2dd180c000-7f2dd184f000 r-xp 00000000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd184f000-7f2dd1a4f000 ---p 00043000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd1a4f000-7f2dd1a51000 rw-p 00043000 08:03 112                        /lib64/                                                                                     libgobject-2.0.so.0.2200.5
7f2dd1a51000-7f2dd1a58000 r-xp 00000000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1a58000-7f2dd1c57000 ---p 00007000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c57000-7f2dd1c58000 r--p 00006000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c58000-7f2dd1c59000 rw-p 00007000 08:03 286                        /lib64/                                                                                     librt-2.12.so
7f2dd1c59000-7f2dd1c99000 r-xp 00000000 08:03 459                        /lib64/                                                                                     libdbus-1.so.3.4.0
7f2dd1c99000-7f2dd1e98000 ---p 00040000 08:03 459                        /lib64/                                                                                     libdbus-1.so.3.4.0
7f2dd1e98000-7f2dd1e99000 r--p 0003f000 08:03 459                        /lib64/                      

Expected results:
sudo list of that user

Additional info:

Comment 2 Daniel Kopeček 2013-08-09 10:46:20 UTC
I can't reproduce this bug. Could you please attach your sudoers file?

I've tested these use cases:
------------------
# sudo -U dkopecek -l
User dkopecek is not allowed to run sudo on rhws.
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek: 
Sorry, user dkopecek may not run sudo on rhws.
#
------------------
... and the same with some rules in sudoers ...

------------------
# sudo -U dkopecek -l
Matching Defaults entries for dkopecek on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dkopecek may run the following commands on this host:
    (ALL) /bin/true
#
------------------
# sudo -u dkopecek sudo -l
[sudo] password for dkopecek: 
Matching Defaults entries for dkopecek on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dkopecek may run the following commands on this host:
    (ALL) /bin/true
------------------

Comment 4 Daniel Kopeček 2013-08-12 13:53:15 UTC
Thanks, I've reproduced the crash with your sudoers file. Here's the backtrace:

#0  0x00007fb86923ec55 in raise () from /lib64/libc.so.6
#1  0x00007fb869240408 in abort () from /lib64/libc.so.6
#2  0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
#3  0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
#5  0x00007fb869288b55 in realloc () from /lib64/libc.so.6
#6  0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
    at ./alloc.c:144
#7  0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, 
    fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
#8  0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, 
    pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
#9  0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, 
    argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, 
    env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, 
    argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
    at ./sudoers.c:539
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, 
    verbose=0, list_user=0x0) at ./sudoers.c:815
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, 
    plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, 
    argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at ./sudo.c:253
(gdb)

Comment 5 Daniel Kopeček 2013-08-12 13:54:06 UTC
full bt:

(gdb) bt full
#0  0x00007fb86923ec55 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fb869240408 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fb86927e64b in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fb869284826 in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fb869287be8 in _int_realloc () from /lib64/libc.so.6
No symbol table info available.
#5  0x00007fb869288b55 in realloc () from /lib64/libc.so.6
No symbol table info available.
#6  0x00007fb862791dd3 in erealloc (ptr=<optimized out>, size=<optimized out>)
    at ./alloc.c:144
No locals.
#7  0x00007fb8627929b2 in lbuf_append (lbuf=lbuf@entry=0x7fff65aebfb0, 
    fmt=fmt@entry=0x7fb86279642f "\n\n") at ./lbuf.c:157
        ap = {{gp_offset = 16, fp_offset = 32696, 
            overflow_arg_area = 0x7fff65aebfb0, 
            reg_save_area = 0x7fff65aebf40}}
        len = 1
        s = 0x0
        __func__ = "lbuf_append"
---Type <return> to continue, or q <return> to quit---
#8  0x00007fb862779751 in display_privs (snl=0x7fb8629ac250 <snl.5779>, 
    pw=0x7fb86a5b1cb8) at ./sudo_nss.c:284
        nss = 0x0
        defs = {output = 0x7fb8627791d0 <output>, 
          buf = 0x7fb86a5c7340 "Matching Defaults entries for bworks on this host:\n    !visiblepw, always_set_home, umask=0002, !lecture, !env_reset, secure_path=/usr/local/broadworks/swmanager/bin\\:/usr/local/broadworks/patchtool/b"..., continuation = 0x0, indent = 4, len = 524, size = 768, cols = 146}
        privs = {output = 0x7fb8627791d0 <output>, buf = 0x0, 
          continuation = 0x0, indent = 4, len = 0, size = 0, cols = 146}
        sb = {st_dev = 10, st_ino = 6, st_nlink = 1, st_mode = 8592, 
          st_uid = 1000, st_gid = 5, __pad0 = 0, st_rdev = 34819, st_size = 0, 
          st_blksize = 1024, st_blocks = 0, st_atim = {tv_sec = 1376314840, 
            tv_nsec = 882985085}, st_mtim = {tv_sec = 1376314840, 
            tv_nsec = 882985085}, st_ctim = {tv_sec = 1376310207, 
            tv_nsec = 882985085}, __unused = {0, 0, 0}}
        cols = <optimized out>
        count = 6
        olen = <optimized out>
        __func__ = "display_privs"
#9  0x00007fb862776d74 in sudoers_policy_main (argc=argc@entry=0, 
    argv=argv@entry=0x7fff65aec478, pwflag=pwflag@entry=52, 
    env_add=env_add@entry=0x0, command_infop=command_infop@entry=0x0, 
---Type <return> to continue, or q <return> to quit---
    argv_out=argv_out@entry=0x0, user_env_out=user_env_out@entry=0x0)
    at ./sudoers.c:539
        command_info = {0x0 <repeats 32 times>}
        edit_argv = 0x0
        nss = <optimized out>
        cmnd_status = <optimized out>
        validated = 130
        info_len = 0
        rval = 0
        __func__ = "sudoers_policy_main"
#10 0x00007fb8627775df in sudoers_policy_list (argc=0, argv=0x7fff65aec478, 
    verbose=0, list_user=0x0) at ./sudoers.c:815
        rval = <optimized out>
        __func__ = "sudoers_policy_list"
#11 0x00007fb86a0356bd in policy_list (plugin=0x7fb86a250ac0 <policy_plugin>, 
    plugin=0x7fb86a250ac0 <policy_plugin>, list_user=0x0, verbose=0, 
    argv=0x7fff65aec478, argc=0) at ./sudo.c:1215
        sudo_debug_rval = <optimized out>
        sudo_debug_subsys = 448
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ./sudo.c:253
        nargc = 0
        ok = <optimized out>
---Type <return> to continue, or q <return> to quit---
        exitcode = 0
        nargv = 0x7fff65aec478
        settings = 0x7fb86a5a6bd0
        env_add = <optimized out>
        user_info = 0x7fb86a5a5050
        command_info = <optimized out>
        argv_out = <optimized out>
        user_env_out = <optimized out>
        plugin = <optimized out>
        next = <optimized out>
        command_details = {uid = 16, euid = 0, gid = 1764290082, egid = 32696, 
          umask = 2, priority = 0, timeout = 1771962294, ngroups = 32696, 
          closefrom = 0, flags = 0, pw = 0x7fb8699d2de9 <set_selinuxmnt+9>, 
          groups = 0x7fff65aec468, 
          command = 0x7fb8699ce2bc <verify_selinuxmnt+124> "\353\350f\220AV\277\036", cwd = 0x1000 <Address 0x1000 out of bounds>, 
          login_class = 0x1000 <Address 0x1000 out of bounds>, chroot = 0x0, 
          selinux_role = 0x0, selinux_type = 0x0, utmp_user = 0x0, argv = 0x0, 
          envp = 0x0}
        mask = {__val = {0 <repeats 16 times>}}
        __func__ = "main"

Comment 6 Daniel Kopeček 2013-08-12 15:33:28 UTC
The bug is in the lbuf_append_quoted function:

--- lbuf.c~	2012-09-18 15:56:28.000000000 +0200
+++ lbuf.c	2013-08-12 17:01:02.335470715 +0200
 -100,7 +100,7 @@
 	if (lbuf->len + (len * 2) + 1 >= lbuf->size) {
 	    do {
 		lbuf->size += 256;
-	    } while (lbuf->len + len + 1 >= lbuf->size);
+	    } while (lbuf->len + (len * 2) + 1 >= lbuf->size);
 	    lbuf->buf = erealloc(lbuf->buf, lbuf->size);
 	}
 	if (*fmt == '%') {

and it looks like this is already fixed upstream by refactoring the code that expands the buffer:

 http://www.sudo.ws/repos/sudo/raw-rev/6283ee562ef4

Comment 7 Daniel Kopeček 2013-08-12 15:40:04 UTC
Created attachment 785762 [details]
proposed patch

Comment 8 Daniel Kopeček 2013-08-13 10:24:56 UTC
Upstream fixed this in 1.7 too after the report on their mailing list:

 http://www.sudo.ws/repos/sudo/rev/be4d8b83d203

Comment 14 errata-xmlrpc 2013-11-21 23:14:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1701.html


Note You need to log in before you can comment on or make changes to this bug.