235647 – pam_verror & pam_vinfo may cause segmentation fault

Bug 235647 - pam_verror & pam_vinfo may cause segmentation fault

Summary: pam_verror & pam_vinfo may cause segmentation fault

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	misc (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-10 17:59 UTC by hoomanfazaeli
Modified:	2019-02-25 19:06 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description hoomanfazaeli 2019-02-10 17:59:51 UTC

The pam_verror may cause segmentation fault.

Consider the following scenario:

1. A service module (for instance, pam_unix) calls PAM_VERBOSE_ERROR.
   That macro expands to _pam_verbose_error call.

2. _pam_verbose_error calls pam_verror if the PAM_SILENT flag is not 
  set on the PAM handle and no_warn option is not set for the service 
  module.

3. pam_verror allocates 'char *rsp' on stack w/o initializing it to NULL,
   (a dangling pointer), and makes 
   pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap) call. 

4. Now if the the PAM conversation is NULL, pam_vprompt soon returns 
   w/ PAM_SYSTEM_ERR and __does not__ set *rsp. 

5. pam_verror then does FREE(rsp) and if rsp happens to be anything other 
   than NULL, a segmentation fault happens.

Comment 1 hoomanfazaeli 2019-02-10 18:03:37 UTC

The very same bug exists in pam_vinfo.