From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 17 13:10:09 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 397031065673 for ; Tue, 17 Jan 2012 13:10:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0FEFF8FC13 for ; Tue, 17 Jan 2012 13:10:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0HDA8xE041099 for ; Tue, 17 Jan 2012 13:10:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0HDA8Ni041098; Tue, 17 Jan 2012 13:10:08 GMT (envelope-from gnats) Resent-Date: Tue, 17 Jan 2012 13:10:08 GMT Resent-Message-Id: <201201171310.q0HDA8Ni041098@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexander Wittig Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 437D91065670 for ; Tue, 17 Jan 2012 13:03:22 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 289698FC0A for ; Tue, 17 Jan 2012 13:03:22 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q0HD3LRJ068190 for ; Tue, 17 Jan 2012 13:03:21 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q0HD3Lvi068179; Tue, 17 Jan 2012 13:03:21 GMT (envelope-from nobody) Message-Id: <201201171303.q0HD3Lvi068179@red.freebsd.org> Date: Tue, 17 Jan 2012 13:03:21 GMT From: Alexander Wittig To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/164238: [patch] NULL pointer dereference in setusercontext (libutil) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2012 13:10:09 -0000 >Number: 164238 >Category: kern >Synopsis: [patch] NULL pointer dereference in setusercontext (libutil) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 17 13:10:08 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Alexander Wittig >Release: 9.0-STABLE >Organization: >Environment: FreeBSD hotzenplotz.wittig.name 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jan 11 22:15:18 CET 2012 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64 >Description: With certain combinations of parameters, it's possible to cause a NULL pointer dereference in setusercontext in libutil. It's probably not a huge problem, as the parameters have to be somewhat esoteric, but I suppose even when fed bogus parameters, library functions should not segfault. The same problem exists in HEAD. This was found while poking around in the clang analyzer output at http://scan.freebsd.your.org/freebsd-head/lib.libutil/2012-01-12-amd64/report-NgeNvT.html#EndPath (but is not the solution to that particular problem which is a false positive). >How-To-Repeat: Run this program as non-root with an entry such as test:\ :priority=-10: in login.conf. The syslog call on line 465 (and similar) of libutil/login_class.c tries to include information on the user name by accessing pwd, even if it's NULL. Since the new login class ("test") priority is less than the default priority, root privileges are required to change it and the setpriority call fails prompting the syslog call. #include #include #include #include int main(void) { login_cap_t* lc; struct passwd* pwd; lc = login_getclass( "test" ); // its priority is -10 pwd = getpwuid(0); // OK setusercontext(lc, pwd, 0, LOGIN_SETPRIORITY); printf("First call was OK\n"); // segfaults setusercontext(lc, NULL, 0, LOGIN_SETPRIORITY); printf("Second call not so much\n"); } >Fix: The attached patch should fix the problem by printing "-" in the warning message if no pwd entry was passed and setting the priority fails. Patch attached with submission follows: --- /usr/src/lib/libutil/login_class.c 2011-09-23 02:51:37.000000000 +0200 +++ login_class.c 2012-01-17 13:50:05.000000000 +0100 @@ -452,18 +452,18 @@ p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p; if (rtprio(RTP_SET, 0, &rtp)) syslog(LOG_WARNING, "rtprio '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } else if (p < PRIO_MIN) { rtp.type = RTP_PRIO_REALTIME; rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX); p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p; if (rtprio(RTP_SET, 0, &rtp)) syslog(LOG_WARNING, "rtprio '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } else { if (setpriority(PRIO_PROCESS, 0, (int)p) != 0) syslog(LOG_WARNING, "setpriority '%s' (%s): %m", - pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS); + pwd ? pwd->pw_name : "-", lc ? lc->lc_class : LOGIN_DEFCLASS); } } >Release-Note: >Audit-Trail: >Unformatted: