Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Mar 2015 00:24:18 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 198554] erroneous data in master.passwd or group cause pw -V command to segfault
Message-ID:  <bug-198554-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198554

            Bug ID: 198554
           Summary: erroneous data in master.passwd or group cause pw -V
                    command to segfault
           Product: Base System
           Version: 10.1-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: fbsd@centraltech.co.uk

When using `pw -V ...`, if either master.passwd or group contains erroneous
data then pw will segfault. e.g. as a result of hand editing. Also could be a
continuation of bug #187310.

To reproduce execute the following in an empty directory:

truncate -s 0 master.passwd group && pwd_mkdb -d . master.passwd
pw -V . user add test
echo 'test1:*:1002:0:0::/home/test1' >> master.passwd
pw -V . user add test2
Segmentation fault (core dumped)

Similarly for group:

truncate -s 0 master.passwd group && pwd_mkdb -d . master.passwd
pw -V . user add test
echo 'test1:*:1002' >> group
pw -V . user add test2
Segmentation fault (core dumped)

It doesn't matter what pw -V command  you run, if it accesses an erroneous
master.passwd/group it segfaults.

I first came across it in:
FreeBSD 10.1-STABLE #0 r279301: Wed Feb 25 23:49:09 UTC 2015 amd64
and have since updated to r279937

The following fixes the segfaults, but could lead to other issues as the
erroneous entries are simply ignored.

Index: usr.sbin/pw/pw_vpw.c
===================================================================
--- usr.sbin/pw/pw_vpw.c    (revision 279937)
+++ usr.sbin/pw/pw_vpw.c    (working copy)
@@ -80,6 +80,9 @@
             if (line[linelen - 1 ] == '\n')
                 line[linelen - 1] = '\0';
             pw = pw_scan(line, PWSCAN_MASTER);
+            /* Skip erroneous lines... maybe warn? */
+            if (pw == NULL)
+                continue;
             if (uid != (uid_t)-1) {
                 if (uid == pw->pw_uid)
                     break;
@@ -160,6 +163,9 @@
             if (line[linelen - 1 ] == '\n')
                 line[linelen - 1] = '\0';
             gr = gr_scan(line);
+            /* Skip erroneous lines.. maybe warn? */
+            if (gr == NULL)
+                continue;
             if (gid != (gid_t)-1) {
                 if (gid == gr->gr_gid)
                     break;

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-198554-8>