[rsbac] [RSBAC-admin][1.4.9] Null pointer dereference in pam_rsbac

[Frank LENORMAND]

Hi,

I ran into an issue lately with a widely known job scheduling tool which
received a segmentation fault signal when executing a task on behalf of 
an
expired user. I traced back the issue to "main/pam/pam_rsbac.c", so 
here's
the report. I have not looked into other contexts in which the same 
issue
could occur, so be aware that I will only be describing a particular 
scenario
here.

When some code wants to authenticate a user using the `pam_acct_mgmt()`
function, the `pam_sm_acct_mgmt()` function is called (pam_rsbac.c:360). 
If the
user account has expired, the `rsbac_um_check_account_name()` function 
inside
will return a non-zero value and set `errno` to `RSBAC_EEXPIRED`, and 
follow up
with a call to the `_make_remark()` function with a description of the 
error
as fourth argument. A few instructions later, we end up in the 
`converse()`
function (pam_rsbac.c:99) and the `pam_get_item()` 
(libpam/pam_item.c:175)
function is called with the `PAM_CONV` argument.

That last PAM function will set the `struct pam_conv` object passed to 
the
function to the one pointed to by the `pam_conversation` field in the 
PAM
handle (`pam_handle_t`), and after it has returned, the RSBAC uses the 
`conv`
pointer without checking it (pam_rsbac.c:111), which leads to a 
segmentation
fault if -as it's the case in the job scheduling tool I mentioned- the
`pam_handle_t` object is passed with an uninitialized `pam_conversation` 
field.

Long story short: the `conv->conv()` function pointer called in 
pam_rsbac.c:111
has to be checked, because it might not have been initialized by the 
code
that uses PAM with the RSBAC module.

RSBAC-admin v1.4.9 - Linux-PAM v1.2.1

HTH.

Regards,
-- 
Frank LENORMAND
RTEC - Russian Telecom Equipment Company
Senior software engineer developer