FS#14464 - [sudo] segfault

Attached to Project: Arch Linux
Opened by Luka Napotnik (napsy) - Sunday, 26 April 2009, 17:07 GMT
Last edited by Allan McRae (Allan) - Saturday, 06 June 2009, 08:40 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Allan McRae (Allan)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
sudo segfaults on every attempt to login.

Additional info:
* using sudo 1.7.1-1
* running archlinux X86_64


Steps to reproduce:
sudo ls
(typing password)

I got the following backtrace from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00007f8f6f7b7480 in strlen () from /lib/libc.so.6
(gdb) bt
#0 0x00007f8f6f7b7480 in strlen () from /lib/libc.so.6
#1 0x000000000040c9ec in setenv ()
#2 0x00007f8f6ea9bbdf in pam_sm_open_session ()
from /lib/security/pam_mount.so
#3 0x00007f8f6fc97c42 in _pam_dispatch () from /lib/libpam.so.0

...
This task depends upon

Closed by  Allan McRae (Allan)
Saturday, 06 June 2009, 08:40 GMT
Reason for closing:  Fixed
Additional comments about closing:  sudo 1.7.1-2
Comment by Andrea Scarpino (BaSh) - Sunday, 26 April 2009, 18:19 GMT
system is up-to-date?
did you try to reboot?
Comment by Luka Napotnik (napsy) - Sunday, 26 April 2009, 18:41 GMT
Yes, system is up to date and this bug is now present for some days now. I guess there's a bug in libpam_mount.so. Maybe related to my encrypted home partition that PAM mounts after I login with gdm.
Comment by Gerardo Exequiel Pozzi (djgera) - Sunday, 24 May 2009, 20:31 GMT
what is the status of this?

if the problem persist can run sudo with debug symbols (not strip symbols in the PKGBUILD, and maybe add -g to CFLAGS) enabled on gdb?
Comment by Luka Napotnik (napsy) - Saturday, 30 May 2009, 22:29 GMT
I get the same backtrace if I recompile sudo with -g and -O0. There's a problem with libpam_mount.so
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 30 May 2009, 23:16 GMT
mmm, yes but some functions now shows parameters, except strlen() that are from glibc.

can run sudo without enviroments vars? this is the command "env -i sudo /bin/ls"

if don't work try on gdb after the crash:

(gdb) x/s $rdi #this print the string passed to strlen()
Comment by Luka Napotnik (napsy) - Sunday, 31 May 2009, 07:30 GMT
(gdb) info r rdi
rdi 0x0 0
(gdb) x/s 0x0
0x0: <Address 0x0 out of bounds>
Comment by Luka Napotnik (napsy) - Sunday, 31 May 2009, 07:45 GMT
This is now my backtrace if I run a non-stripped version of sudo. It seems that the value sor setenv() is NULL.

(gdb) bt
#0 0x00007f84483851a1 in strlen () from /lib/libc.so.6
#1 0x000000000040e997 in setenv (var=0x7f844769296f "KRB5CCNAME", val=0x0,
overwrite=1) at ./env.c:260
#2 0x00007f844768dbdf in pam_sm_open_session ()
from /lib/security/pam_mount.so
#3 0x00007f8448866c42 in _pam_dispatch () from /lib/libpam.so.0
#4 0x000000000040d054 in pam_prep_user (pw=0x21df240) at ./auth/pam.c:231
#5 0x00000000004153b8 in runas_setup () at ./set_perms.c:527
#6 0x00000000004150e6 in set_perms (perm=5) at ./set_perms.c:130
#7 0x0000000000415d68 in main (argc=2, argv=0x7fff50c8aaf8,
envp=0x7fff50c8ab10) at ./sudo.c:487
(gdb) info r rdi
rdi 0x0 0
(gdb) x/s $rdi
0x0: <Address 0x0 out of bounds>
Comment by Luka Napotnik (napsy) - Sunday, 31 May 2009, 07:50 GMT
hm it seems that inserting:

if (!val || !var)
return -1;

in env.c:255 does the trick. sudo no longer crashes.
Comment by Gerardo Exequiel Pozzi (djgera) - Sunday, 31 May 2009, 07:55 GMT
good is an advance, can report this to upstream? Seems that are a NULL pointer reference ;)
Comment by Allan McRae (Allan) - Saturday, 06 June 2009, 06:33 GMT
This appears to be the upstream fix:
http://www.sudo.ws/cgi-bin/cvsweb/sudo/env.c.diff?r1=text&tr1=1.101&r2=text&tr2=1.102

Loading...