From owner-freebsd-bugs Sun May 6 6:10: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9BCD737B423 for ; Sun, 6 May 2001 06:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f46DA1g19819; Sun, 6 May 2001 06:10:01 -0700 (PDT) (envelope-from gnats) Received: from mailout00.sul.t-online.com (mailout00.sul.t-online.com [194.25.134.16]) by hub.freebsd.org (Postfix) with ESMTP id 809D537B423 for ; Sun, 6 May 2001 06:07:20 -0700 (PDT) (envelope-from stolz@i2.informatik.rwth-aachen.de) Received: from fwd02.sul.t-online.com by mailout00.sul.t-online.com with smtp id 14wOFq-00016O-09; Sun, 06 May 2001 15:07:18 +0200 Received: from theater.dyndns.org (320068889749-0001@[62.226.0.12]) by fmrl02.sul.t-online.com with esmtp id 14wOG4-0r1xmiC; Sun, 6 May 2001 15:07:32 +0200 Received: from monster.ikea.net (monster.ikea.net [192.168.2.3]) by theater.dyndns.org (8.11.3/8.11.3) with ESMTP id f46D7H449192 for ; Sun, 6 May 2001 15:07:18 +0200 (CEST) (envelope-from stolz@i2.informatik.rwth-aachen.de) Received: (from vs@localhost) by monster.ikea.net (8.11.3/8.11.1) id f46D8WL22692; Sun, 6 May 2001 15:08:32 +0200 (CEST) (envelope-from vs) Message-Id: <200105061308.f46D8WL22692@monster.ikea.net> Date: Sun, 6 May 2001 15:08:32 +0200 (CEST) From: stolz@i2.informatik.rwth-aachen.de (Volker Stolz) To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/27154: login(1) accesses pam_getenvlist() *after* pam_end() Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 27154 >Category: bin >Synopsis: login(1) accesses pam_getenvlist() *after* pam_end() >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 06 06:10:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Volker Stolz >Release: FreeBSD 4.3-STABLE i386 >Organization: >Environment: System: FreeBSD monster.ikea.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 6 11:38:07 CEST 2001 root@monster.ikea.net:/opt/src/sys/compile/MONOMO i386 >Description: login(1) will call pam_end() before accessing the data obtained by pam_getenvlist(), thus accessing stale data and free() will start complaining. Of course the area used for storing the data has been invalidated before, as pam_close() cleans up after itself :/ However, this seems to have gone unnoted as nobody was passing on any changes in the environment. >How-To-Repeat: Install /usr/ports/security/pam_ssh, make corresponding adjustings to /etc/pam.conf, login: login will succeed, but you will get a warning: login in free(): warning: junk pointer, too high to make sense. SSH-variables will remain unset. >Fix: *shrug* I´m currently wibbling around in login.c, patch might follow. Obviously you have to copy the environment before pam_end()... pam_misc_copy_env() and pam_misc_drop_env() should help, too. http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.2 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message