Date: Tue, 17 Jan 2012 13:03:21 GMT From: Alexander Wittig <alexander@wittig.name> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/164238: [patch] NULL pointer dereference in setusercontext (libutil) Message-ID: <201201171303.q0HD3Lvi068179@red.freebsd.org> Resent-Message-ID: <201201171310.q0HDA8Ni041098@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 164238 >Category: kern >Synopsis: [patch] NULL pointer dereference in setusercontext (libutil) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 17 13:10:08 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Alexander Wittig >Release: 9.0-STABLE >Organization: >Environment: FreeBSD hotzenplotz.wittig.name 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jan 11 22:15:18 CET 2012 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64 >Description: With certain combinations of parameters, it's possible to cause a NULL pointer dereference in setusercontext in libutil. It's probably not a huge problem, as the parameters have to be somewhat esoteric, but I suppose even when fed bogus parameters, library functions should not segfault. The same problem exists in HEAD. This was found while poking around in the clang analyzer output at http://scan.freebsd.your.org/freebsd-head/lib.libutil/2012-01-12-amd64/report-NgeNvT.html#EndPath (but is not the solution to that particular problem which is a false positive). >How-To-Repeat: Run this program as non-root with an entry such as test:\ :priority=-10: in login.conf. The syslog call on line 465 (and similar) of libutil/login_class.c tries to include information on the user name by accessing pwd, even if it's NULL. Since the new login class ("test") priority is less than the default priority, root privileges are required to change it and the setpriority call fails prompting the syslog call. #include <stdio.h> #include <sys/types.h> #include <login_cap.h> #include <pwd.h> int main(void) { login_cap_t* lc; struct passwd* pwd; lc = login_getclass( "test" ); // its priority is -10 pwd = getpwuid(0); // OK setusercontext(lc, pwd, 0, LOGIN_SETPRIORITY); printf("First call was OK\n"); // segfaults setusercontext(lc, NULL, 0, LOGIN_SETPRIORITY); printf("Second call not so much\n"); } >Fix: The attached patch should fix the problem by printing "-" in the warning message if no pwd entry was passed and setting the priority fails. Patch attached with submission follows: --- /usr/src/lib/libutil/login_class.c 2011-09-23 02:51:37.000000000 +0200 +++ login_class.c 2012-01-17 13:50:05.000000000 +0100 @@ -452,18 +452,18 @@ p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p; if (rtprio(RTP_SET, 0, &rtp)) syslog(LOG_WARNING, "rtprio '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } else if (p < PRIO_MIN) { rtp.type = RTP_PRIO_REALTIME; rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX); p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p; if (rtprio(RTP_SET, 0, &rtp)) syslog(LOG_WARNING, "rtprio '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } else { if (setpriority(PRIO_PROCESS, 0, (int)p) != 0) syslog(LOG_WARNING, "setpriority '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201171303.q0HD3Lvi068179>