Date: Sun, 6 May 2001 15:08:32 +0200 (CEST) From: stolz@i2.informatik.rwth-aachen.de (Volker Stolz) To: FreeBSD-gnats-submit@freebsd.org Subject: bin/27154: login(1) accesses pam_getenvlist() *after* pam_end() Message-ID: <200105061308.f46D8WL22692@monster.ikea.net>
next in thread | raw e-mail | index | archive | help
>Number: 27154 >Category: bin >Synopsis: login(1) accesses pam_getenvlist() *after* pam_end() >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 06 06:10:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Volker Stolz >Release: FreeBSD 4.3-STABLE i386 >Organization: >Environment: System: FreeBSD monster.ikea.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 6 11:38:07 CEST 2001 root@monster.ikea.net:/opt/src/sys/compile/MONOMO i386 >Description: login(1) will call pam_end() before accessing the data obtained by pam_getenvlist(), thus accessing stale data and free() will start complaining. Of course the area used for storing the data has been invalidated before, as pam_close() cleans up after itself :/ However, this seems to have gone unnoted as nobody was passing on any changes in the environment. >How-To-Repeat: Install /usr/ports/security/pam_ssh, make corresponding adjustings to /etc/pam.conf, login: login will succeed, but you will get a warning: login in free(): warning: junk pointer, too high to make sense. SSH-variables will remain unset. >Fix: *shrug* I´m currently wibbling around in login.c, patch might follow. Obviously you have to copy the environment before pam_end()... pam_misc_copy_env() and pam_misc_drop_env() should help, too. http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.2 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105061308.f46D8WL22692>