[Bug 1565567] Re: segv in sudo_getgrgid

Rafael David Tinoco rafael.tinoco at canonical.com
Wed May 4 04:13:52 UTC 2016 

Following execution path I get:

====

(1)

mode_run -> policy_check -> sudoers_policy_main -> sudoers_policy_init:
 - init_vars (fills global variable sudo_user)
 - sudo_user->pwd (from global struct passwd) will be used in "user_in_group" as "struct passwd" of executing user 
 - it will check whether the executing user is in a certain group (pre-reqs for sudo execution)

/*
 * Get a local copy of the user's struct passwd if we don't already
 * have one.
 */
if (sudo_user.pw == NULL) {
    if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) {
        /*
         * It is not unusual for users to place "sudo -k" in a .logout
         * file which can cause sudo to be run during reboot after the
         * YP/NIS/NIS+/LDAP/etc daemon has died.
         */
        if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {
            sudo_warnx(U_("unknown uid: %u"), (unsigned int) user_uid);
            debug_return_bool(false);
        }

        /* Need to make a fake struct passwd for the call to log_warningx(). */
        sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);
        unknown_user = true;
    }
}

so sudo_user->pwd comes from sudo_mkpwent(user_name).

At this time, impossible that sudo_mkpwent has cached values so we have:

...
item = sudo_make_pwitem((uid_t)-1, name);

if (item == NULL) {
    const size_t len = strlen(name) + 1;
    if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) {
        sudo_warnx(U_("unable to cache user %s, out of memory"), name);
        debug_return_ptr(NULL);
    }
    item->refcnt = 1;
    item->k.name = (char *) item + sizeof(*item);
    memcpy(item->k.name, name, len);
    /* item->d.pw = NULL; */
}
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(pwcache_byname, item, NULL)) {
...

Since sudo_make_pwitem relies on local authentication, and user is
coming from ldap... item = NULL.

With item being NULL, cache item item->d (union) will be filled of zeroes.
With that, item->d>pw will be a NULL pointer. 

PROBLEM:

In the future, when this cache item is recovered from redblack tree, any
reference to item->d>pw will fail.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1565567

Title:
  segv in sudo_getgrgid

Status in sudo package in Ubuntu:
  Confirmed

Bug description:
  If the user is in a group with no name (because libnss-db got removed
  and the group was defined there, for example...) then:

  the call to sudo_debug_printf in sudo_getgrgid
  (plugins/sudoers/pwutil.c, line 462) causes a SEGV when trying to get
  item->d.gr->gr_name (since item->d.gr is NULL).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1565567/+subscriptions

More information about the foundations-bugs mailing list