From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 16 10:30:05 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1111A106564A for ; Wed, 16 Apr 2008 10:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 018288FC1F for ; Wed, 16 Apr 2008 10:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3GAU4Xc058153 for ; Wed, 16 Apr 2008 10:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3GAU4TR058150; Wed, 16 Apr 2008 10:30:04 GMT (envelope-from gnats) Date: Wed, 16 Apr 2008 10:30:04 GMT Message-Id: <200804161030.m3GAU4TR058150@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jaakko Heinonen Cc: Subject: Re: bin/112694: segfault in pam_lastlog(8) on sshd exit when no pty allocated X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jaakko Heinonen List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2008 10:30:05 -0000 The following reply was made to PR bin/112694; it has been noted by GNATS. From: Jaakko Heinonen To: Christopher Cowart , bug-followup@FreeBSD.org Cc: Subject: Re: bin/112694: segfault in pam_lastlog(8) on sshd exit when no pty allocated Date: Wed, 16 Apr 2008 13:25:48 +0300 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, On 2008-04-15, Christopher Cowart wrote: > I think when we run it both via the sshd and login stacks, it gets > executed twice for logouts. If your testing shows no segfaults in that > situation, I'm content that the problem is solved. Thanks for the information. The bug is still there. I can reproduce it now if I configure pam this way. revision 1.23 (src/lib/libpam/modules/pam_lastlog/pam_lastlog.c) commit message: Apply the same error checks to PAM_TTY in pam_sm_close_session() as in pam_sm_open_session(), avoiding false negatives when no tty is present. However the commit failed to add a check for NULL tty name (the check is present in pam_sm_open_session()). Attached patch should fix the problem. -- Jaakko --qMm9M+Fa2AknHoGS Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="pam_lastlog-segfault.diff" Index: pam_lastlog.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_lastlog/pam_lastlog.c,v retrieving revision 1.23 diff -p -u -r1.23 pam_lastlog.c --- pam_lastlog.c 22 Jul 2007 15:17:29 -0000 1.23 +++ pam_lastlog.c 16 Apr 2008 09:08:49 -0000 @@ -183,6 +183,10 @@ pam_sm_close_session(pam_handle_t *pamh pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty); if (pam_err != PAM_SUCCESS) goto err; + if (tty == NULL) { + pam_err = PAM_SERVICE_ERR; + goto err; + } if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0) tty = (const char *)tty + strlen(_PATH_DEV); if (*(const char *)tty == '\0') --qMm9M+Fa2AknHoGS--