Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 May 2001 15:08:32 +0200 (CEST)
From:      stolz@i2.informatik.rwth-aachen.de (Volker Stolz)
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/27154: login(1) accesses pam_getenvlist() *after* pam_end()
Message-ID:  <200105061308.f46D8WL22692@monster.ikea.net>
next in thread | raw e-mail | index | archive | help 

>Number:         27154
>Category:       bin
>Synopsis:       login(1) accesses pam_getenvlist() *after* pam_end()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 06 06:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Volker Stolz
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD monster.ikea.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 6 11:38:07 CEST 2001 root@monster.ikea.net:/opt/src/sys/compile/MONOMO i386


>Description:
login(1) will call pam_end() before accessing the data obtained by
pam_getenvlist(), thus accessing stale data and free() will start complaining.
Of course the area used for storing the data has been invalidated before, as
pam_close() cleans up after itself :/

However, this seems to have gone unnoted as nobody was passing on any
changes in the environment.

>How-To-Repeat:
Install /usr/ports/security/pam_ssh,
make corresponding adjustings to /etc/pam.conf, login:
login will succeed, but you will get a warning:
login in free(): warning: junk pointer, too high to make sense.
SSH-variables will remain unset.

>Fix:
*shrug* I´m currently wibbling around in login.c, patch might follow.
Obviously you have to copy the environment before pam_end()...
pam_misc_copy_env() and pam_misc_drop_env() should help, too.
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.2

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105061308.f46D8WL22692>