[rsbac] [RSBAC-admin][1.4.9] Null pointer dereference in pam_rsbac
Frank LENORMAND
lenormand at pkcc-tb.ru
Wed Oct 14 09:59:14 CEST 2015
Hi,
I ran into an issue lately with a widely known job scheduling tool which
received a segmentation fault signal when executing a task on behalf of
an
expired user. I traced back the issue to "main/pam/pam_rsbac.c", so
here's
the report. I have not looked into other contexts in which the same
issue
could occur, so be aware that I will only be describing a particular
scenario
here.
When some code wants to authenticate a user using the `pam_acct_mgmt()`
function, the `pam_sm_acct_mgmt()` function is called (pam_rsbac.c:360).
If the
user account has expired, the `rsbac_um_check_account_name()` function
inside
will return a non-zero value and set `errno` to `RSBAC_EEXPIRED`, and
follow up
with a call to the `_make_remark()` function with a description of the
error
as fourth argument. A few instructions later, we end up in the
`converse()`
function (pam_rsbac.c:99) and the `pam_get_item()`
(libpam/pam_item.c:175)
function is called with the `PAM_CONV` argument.
That last PAM function will set the `struct pam_conv` object passed to
the
function to the one pointed to by the `pam_conversation` field in the
PAM
handle (`pam_handle_t`), and after it has returned, the RSBAC uses the
`conv`
pointer without checking it (pam_rsbac.c:111), which leads to a
segmentation
fault if -as it's the case in the job scheduling tool I mentioned- the
`pam_handle_t` object is passed with an uninitialized `pam_conversation`
field.
Long story short: the `conv->conv()` function pointer called in
pam_rsbac.c:111
has to be checked, because it might not have been initialized by the
code
that uses PAM with the RSBAC module.
RSBAC-admin v1.4.9 - Linux-PAM v1.2.1
HTH.
Regards,
--
Frank LENORMAND
RTEC - Russian Telecom Equipment Company
Senior software engineer developer
More information about the rsbac
mailing list