[rsbac] [RSBAC-admin][1.4.9] Null pointer dereference in pam_rsbac

[Frank LENORMAND]

Hi,

I ran into an issue lately with a widely known job scheduling
tool which received a segmentation fault signal when executing
a task on behalf of an expired user. I traced back the issue to
"main/pam/pam_rsbac.c", so here's the report. I have not looked into
other contexts in which the same issue could occur, so be aware that
I will only be describing a particular scenario here.

When some code wants to authenticate a user using the
`pam_acct_mgmt()` function, the `pam_sm_acct_mgmt()` function
is called (pam_rsbac.c:360). If the user account has expired,
the `rsbac_um_check_account_name()` function inside will return a
non-zero value and set `errno` to `RSBAC_EEXPIRED`, and follow up
with a call to the `_make_remark()` function with a description of
the error as fourth argument. A few instructions later, we end up in
the `converse()` function (pam_rsbac.c:99) and the `pam_get_item()`
(libpam/pam_item.c:175) function is called with the `PAM_CONV`
argument.

That last PAM function will set the `struct pam_conv` object passed
to the function to the one pointed to by the `pam_conversation` field
in the PAM handle (`pam_handle_t`), and after it has returned, the
RSBAC uses the `conv` pointer without checking it (pam_rsbac.c:111),
which leads to a segmentation fault if -as it's the case in the job
scheduling tool I mentioned- the `pam_handle_t` object is passed with
an uninitialized `pam_conversation` field.

Long story short: the `conv->conv()` function pointer called in
pam_rsbac.c:111 has to be checked, because it might not have been
initialized by the code that uses PAM with the RSBAC module.

RSBAC-admin v1.4.9 - Linux-PAM v1.2.1

HTH.

Regards,
-- 
Frank LENORMAND
RTEC - Russian Telecom Equipment Company
Senior software engineer developer