Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 May 2022 16:37:42 GMT
From:      Ka Ho Ng <khng@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: b75e0eed345d - main - pam_exec: fix segfault when authtok is null
Message-ID:  <202205221637.24MGbgk3094010@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by khng:

URL: https://cgit.FreeBSD.org/src/commit/?id=b75e0eed345d2ab047a6b1b00a9a7c3bf92e992c

commit b75e0eed345d2ab047a6b1b00a9a7c3bf92e992c
Author:     Yan Ka Chiu <nyan@myuji.xyz>
AuthorDate: 2022-05-22 16:33:02 +0000
Commit:     Ka Ho Ng <khng@FreeBSD.org>
CommitDate: 2022-05-22 16:36:48 +0000

    pam_exec: fix segfault when authtok is null
    
    According to pam_exec(8), the `expose_authtok` option should be ignored
    when the service function is `pam_sm_setcred`. Currently `pam_exec` only
    prevent prompt for anth token when `expose_authtok` is set on
    `pam_sm_setcred`. This subsequently led to segfault when there isn't an
    existing auth token available.
    
    Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
    
    After reading https://reviews.freebsd.org/rS349556 I am not sure if the
    default behaviour supposed to be simply not prompt for authentication
    token, or is it to ignore the option entirely as stated in the man page.
    
    This patch is therefore only adding an additional NULL check on the item
    `pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
    NULL.
    
    MFC after:      1 week
    Reviewed by:    des, khng
    Differential Revision:  https://reviews.freebsd.org/D35169
---
 lib/libpam/modules/pam_exec/pam_exec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index b8f2e1d8fdfc..ef2680d80525 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -261,6 +261,13 @@ _pam_exec(pam_handle_t *pamh,
 			/* don't prompt, only expose existing token */
 			rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
 			authtok = item;
+			if (authtok == NULL && rc == PAM_SUCCESS) {
+				openpam_log(PAM_LOG_ERROR, 
+				    "%s: pam_get_authtok(): %s",
+				    func, "authentication token not available");
+				OUT(PAM_SYSTEM_ERR);
+			}
+
 		} else {
 			rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205221637.24MGbgk3094010>