From owner-svn-src-head@freebsd.org Mon Jul 23 05:13:33 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF85D103ECA9; Mon, 23 Jul 2018 05:13:33 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EEB6094032; Mon, 23 Jul 2018 05:13:32 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id hT9ufYj4j5HxqhT9wf3zry; Sun, 22 Jul 2018 23:13:25 -0600 X-Authority-Analysis: v=2.3 cv=BMcHU2YG c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=kj9zAlcOel0A:10 a=R9QF1RCXAYgA:10 a=6I5d2MoRAAAA:8 a=mDV3o1hIAAAA:8 a=YxBL1-UpAAAA:8 a=tAtvTxkdm60LNoFt9B0A:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=_FVE-zBwftR9WsbkzFJk:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id 5D2E21AA; Sun, 22 Jul 2018 22:13:26 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id w6N5DMEN049116; Sun, 22 Jul 2018 22:13:22 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id w6N5DM8u049113; Sun, 22 Jul 2018 22:13:22 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201807230513.w6N5DM8u049113@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Ian Lepore cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r336619 - head/lib/libc/gen In-Reply-To: Message from Ian Lepore of "Sun, 22 Jul 2018 22:34:20 -0000." <201807222234.w6MMYKpn030237@repo.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 22 Jul 2018 22:13:22 -0700 X-CMAE-Envelope: MS4wfMx0db2SzubghSIG7iy+G0yDdSOGkUbvIrRV8znRXbv+B/OwXeIO6NLN4s3W2UmBALvZA5+nN1G8OGUABUqoOFOL0sfS+kmLcLYO2zuQ1to8sxmkhtwo 5c6BdM4SJamhqNKD+h32Vgu6DOMIQkPOKuQ+Znx8ApT2ceE5TExcfDWDgbhf2DJdTHa9qxYLi6RTuoDe7AiYma78ow/ekMglb+fZlZI5BrBmrnlU5Ve2dZBt 8rCDYxDwrZwTytTHIHLLH/j3993N9xonRkbjh+ZQ5ELSz1q1Ji1QDlkq33w4N35G X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 05:13:33 -0000 In message <201807222234.w6MMYKpn030237@repo.freebsd.org>, Ian Lepore writes: > Author: ian > Date: Sun Jul 22 22:34:20 2018 > New Revision: 336619 > URL: https://svnweb.freebsd.org/changeset/base/336619 > > Log: > Set the pw_class field to NULL when scanning the non-master passwd file. > This avoids a null pointer deref in pw_dup(), which assumes that all > pointers are either NULL or valid. > > Modified: > head/lib/libc/gen/pw_scan.c > > Modified: head/lib/libc/gen/pw_scan.c > ============================================================================= > = > --- head/lib/libc/gen/pw_scan.c Sun Jul 22 21:39:27 2018 (r33661 > 8) > +++ head/lib/libc/gen/pw_scan.c Sun Jul 22 22:34:20 2018 (r33661 > 9) > @@ -170,7 +170,8 @@ __pw_scan(char *bp, struct passwd *pw, int flags) > if (p[0]) > pw->pw_fields |= _PWF_EXPIRE; > pw->pw_expire = atol(p); > - } > + } else > + pw->pw_class = NULL; > if (!(pw->pw_gecos = strsep(&bp, ":"))) /* gecos */ > goto fmt; > if (pw->pw_gecos[0]) > Hi Ian, This causes ssh a bit of gas. slippy$ gdb ssh GNU gdb (GDB) 8.1 [GDB v8.1 for FreeBSD] Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-portbld-freebsd12.0". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ssh...Reading symbols from /usr/lib/debug//usr/bin/ ssh.debug...done. done. (gdb) set args bob id (gdb) run Starting program: /usr/bin/ssh bob id Program received signal SIGSEGV, Segmentation fault. strlen (str=0x0) at /opt/src/svn-current/lib/libc/string/strlen.c:101 101 va = (*lp - mask01); (gdb) bt #0 strlen (str=0x0) at /opt/src/svn-current/lib/libc/string/strlen.c:10 1 #1 0x000000002bf10462 in Fssh_xstrdup (str=0x0) at /opt/src/svn-current/crypto/openssh/xmalloc.c:98 #2 0x000000002bf0ce38 in Fssh_pwcopy (pw=0x2c5962d0) at /opt/src/svn-current/crypto/openssh/misc.c:302 #3 0x0000000000214391 in main (ac=3, av=0x7fffffffe648) at /opt/src/svn-current/crypto/openssh/ssh.c:633 (gdb) l 96 * p and (p & ~LONGPTR_MASK) must be equally accessible since 97 * they always fall in the same memory page, as long as page 98 * boundaries is integral multiple of word size. 99 */ 100 lp = (const unsigned long *)((uintptr_t)str & ~LONGPTR_MASK); 101 va = (*lp - mask01); 102 vb = ((~*lp) & mask80); 103 lp++; 104 if (va & vb) 105 /* Check if we have \0 in the first part */ (gdb) p lp $1 = (const unsigned long *) 0x0 (gdb) up #1 0x000000002bf10462 in Fssh_xstrdup (str=0x0) at /opt/src/svn-current/crypto/openssh/xmalloc.c:98 98 len = strlen(str) + 1; (gdb) l 93 xstrdup(const char *str) 94 { 95 size_t len; 96 char *cp; 97 98 len = strlen(str) + 1; 99 cp = xmalloc(len); 100 strlcpy(cp, str, len); 101 return cp; 102 } (gdb) p str $2 = 0x0 (gdb) up #2 0x000000002bf0ce38 in Fssh_pwcopy (pw=0x2c5962d0) at /opt/src/svn-current/crypto/openssh/misc.c:302 302 copy->pw_class = xstrdup(pw->pw_class); (gdb) l 297 #endif 298 #ifdef HAVE_STRUCT_PASSWD_PW_CHANGE 299 copy->pw_change = pw->pw_change; 300 #endif 301 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS 302 copy->pw_class = xstrdup(pw->pw_class); 303 #endif 304 copy->pw_dir = xstrdup(pw->pw_dir); 305 copy->pw_shell = xstrdup(pw->pw_shell); 306 return copy; (gdb) p pw->pw_class $3 = 0x0 (gdb) (If anyone's wondering, I name my systems after dead pets.) -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.