Bug 235647 - pam_verror & pam_vinfo may cause segmentation fault
Summary: pam_verror & pam_vinfo may cause segmentation fault
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2019-02-10 17:59 UTC by hoomanfazaeli
Modified: 2019-02-25 19:06 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description hoomanfazaeli 2019-02-10 17:59:51 UTC
The pam_verror may cause segmentation fault.

Consider the following scenario:

1. A service module (for instance, pam_unix) calls PAM_VERBOSE_ERROR.
   That macro expands to _pam_verbose_error call.

2. _pam_verbose_error calls pam_verror if the PAM_SILENT flag is not 
  set on the PAM handle and no_warn option is not set for the service 

3. pam_verror allocates 'char *rsp' on stack w/o initializing it to NULL,
   (a dangling pointer), and makes 
   pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap) call. 

4. Now if the the PAM conversation is NULL, pam_vprompt soon returns 
   w/ PAM_SYSTEM_ERR and __does not__ set *rsp. 

5. pam_verror then does FREE(rsp) and if rsp happens to be anything other 
   than NULL, a segmentation fault happens.
Comment 1 hoomanfazaeli 2019-02-10 18:03:37 UTC
The very same bug exists in pam_vinfo.