Bug#928039: marked as done (sudo: segfault/core dump after a plugin init fails)

Debian Bug Tracking System Wed, 23 Oct 2019 09:24:21 -0700

Your message dated Wed, 23 Oct 2019 10:15:52 -0600 (MDT)
with message-id <[email protected]>
and subject line fixed in current upstream version
has caused the Debian Bug report #928039,
regarding sudo: segfault/core dump after a plugin init fails
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
928039: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928039
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: sudo
Version: 1.8.19p1-2.1
Severity: important
Tags: patch

Dear Maintainer,

When sssd is in use, and a configured I/O plugin fails to initialize,
sudo segfaults/dumps core with a use-after-free and/or double-free
violation.

This is caused by sudo_sss_close() being called multiple times (via
various code paths, e.g. sudoers_policy_check -> sudoers_policy_main ->
sudo_sss_close; or policy_check -> sudo_fatalx_nodebug_v1 -> do_cleanup
-> sudoers_cleanup), which frees nss->handle but does not set the
pointer to NULL.

Output is as follows:

$ sudo -i
sudo: error initializing I/O plugin ngcp_plugin
*** Error in `sudo': double free or corruption (!prev):
0x0000560e35fda750 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f1d2fc15bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f1d2fc1bfc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f1d2fc1c80e]
/usr/lib/sudo/sudoers.so(+0x20bcd)[0x7f1d2e090bcd]
/usr/lib/sudo/sudoers.so(+0x1a7f6)[0x7f1d2e08a7f6]
/usr/lib/sudo/libsudo_util.so.0(+0x4e6d)[0x7f1d3014ce6d]
/usr/lib/sudo/libsudo_util.so.0(sudo_fatalx_nodebug_v1+0xa3)[0x7f1d3014d2b3]
sudo(+0x5521)[0x560e345f6521]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f1d2fbc52e1]
sudo(+0x671a)[0x560e345f771a]

Valgrind reports:

# valgrind ./sudo -i
==45182== Memcheck, a memory error detector
==45182== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et
al.
==45182== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for
copyright info
==45182== Command: ./sudo -i
==45182== 
sudo: error initializing I/O plugin ngcp_plugin
==45182== Invalid read of size 8
==45182==    at 0x6F36BBB: sudo_sss_close (sssd.c:482)
==45182==    by 0x6F307F5: sudoers_cleanup (sudoers.c:1193)
==45182==    by 0x548FE6C: do_cleanup (fatal.c:61)
==45182==    by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86)
==45182==    by 0x10D520: policy_check (sudo.c:1333)
==45182==    by 0x10D520: main (sudo.c:261)
==45182==  Address 0x6328aa0 is 32 bytes inside a block of size 80
free'd
==45182==    at 0x4C2CDDB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182==    by 0x6F36BCC: sudo_sss_close (sssd.c:483)
==45182==    by 0x6F3282A: sudoers_policy_main (sudoers.c:528)
==45182==    by 0x6F2B9EE: sudoers_policy_check (policy.c:754)
==45182==    by 0x10CED1: policy_check (sudo.c:1337)
==45182==    by 0x10CED1: main (sudo.c:261)
==45182==  Block was alloc'd at
==45182==    at 0x4C2BBAF: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182==    by 0x6F36C50: sudo_sss_open (sssd.c:388)
==45182==    by 0x6F3108B: sudoers_policy_init (sudoers.c:192)
==45182==    by 0x6F2BEC6: sudoers_policy_open (policy.c:679)
==45182==    by 0x10D073: policy_open (sudo.c:1283)
==45182==    by 0x10D073: main (sudo.c:225)
==45182== 
==45182== Invalid read of size 1
==45182==    at 0x4015571: _dl_close (dl-close.c:817)
==45182==    by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182==    by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182==    by 0x569FFDE: dlclose (dlclose.c:46)
==45182==    by 0x6F36BC3: sudo_sss_close (sssd.c:482)
==45182==    by 0x6F307F5: sudoers_cleanup (sudoers.c:1193)
==45182==    by 0x548FE6C: do_cleanup (fatal.c:61)
==45182==    by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86)
==45182==    by 0x10D520: policy_check (sudo.c:1333)
==45182==    by 0x10D520: main (sudo.c:261)
==45182==  Address 0x6328f54 is 980 bytes inside a block of size 1,209
free'd
==45182==    at 0x4C2CDDB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182==    by 0x4014D95: _dl_close_worker (dl-close.c:747)
==45182==    by 0x401558D: _dl_close (dl-close.c:840)
==45182==    by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182==    by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182==    by 0x569FFDE: dlclose (dlclose.c:46)
==45182==    by 0x6F36BC3: sudo_sss_close (sssd.c:482)
==45182==    by 0x6F3282A: sudoers_policy_main (sudoers.c:528)
==45182==    by 0x6F2B9EE: sudoers_policy_check (policy.c:754)
==45182==    by 0x10CED1: policy_check (sudo.c:1337)
==45182==    by 0x10CED1: main (sudo.c:261)
==45182==  Block was alloc'd at
==45182==    at 0x4C2DBC5: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182==    by 0x400B215: _dl_new_object (dl-object.c:75)
==45182==    by 0x400587C: _dl_map_object_from_fd (dl-load.c:1000)
==45182==    by 0x400874B: _dl_map_object (dl-load.c:2470)
==45182==    by 0x4013B13: dl_open_worker (dl-open.c:237)
==45182==    by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182==    by 0x4013608: _dl_open (dl-open.c:660)
==45182==    by 0x569FEE8: dlopen_doit (dlopen.c:66)
==45182==    by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182==    by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182==    by 0x569FF81: dlopen@@GLIBC_2.2.5 (dlopen.c:87)
==45182==    by 0x6F36C6D: sudo_sss_open (sssd.c:395)
==45182== 
...


Patch is as follows:

--- sudo-1.8.19p1.orig/plugins/sudoers/sssd.c
+++ sudo-1.8.19p1/plugins/sudoers/sssd.c
@@ -481,6 +481,7 @@ sudo_sss_close(struct sudo_nss *nss)
        handle = nss->handle;
        sudo_dso_unload(handle->ssslib);
        free(nss->handle);
+       nss->handle = NULL;
     }
     debug_return_int(0);
 }

Thanks


-- System Information:
Debian Release: 9.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sudo depends on:
ii  libaudit1       1:2.6.7-2
ii  libc6           2.24-11+deb9u4
ii  libpam-modules  1.1.8-3.6
ii  libpam0g        1.1.8-3.6
ii  libselinux1     2.6-3+b3
ii  lsb-base        9.20161125

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

This appears to have been fixed in the current upstream version packaged
in Debian unstable.

Bdale

--- End Message ---

Bug#928039: marked as done (sudo: segfault/core dump after a plugin init fails)

Reply via email to