[rsbac] [RSBAC-admin][1.4.9] Null pointer dereference in pam_rsbac
Frank LENORMAND
lenormand at pkcc-tb.ru
Wed Oct 14 13:16:56 CEST 2015
Hi,
I ran into an issue lately with a widely known job scheduling
tool which received a segmentation fault signal when executing
a task on behalf of an expired user. I traced back the issue to
"main/pam/pam_rsbac.c", so here's the report. I have not looked into
other contexts in which the same issue could occur, so be aware that
I will only be describing a particular scenario here.
When some code wants to authenticate a user using the
`pam_acct_mgmt()` function, the `pam_sm_acct_mgmt()` function
is called (pam_rsbac.c:360). If the user account has expired,
the `rsbac_um_check_account_name()` function inside will return a
non-zero value and set `errno` to `RSBAC_EEXPIRED`, and follow up
with a call to the `_make_remark()` function with a description of
the error as fourth argument. A few instructions later, we end up in
the `converse()` function (pam_rsbac.c:99) and the `pam_get_item()`
(libpam/pam_item.c:175) function is called with the `PAM_CONV`
argument.
That last PAM function will set the `struct pam_conv` object passed
to the function to the one pointed to by the `pam_conversation` field
in the PAM handle (`pam_handle_t`), and after it has returned, the
RSBAC uses the `conv` pointer without checking it (pam_rsbac.c:111),
which leads to a segmentation fault if -as it's the case in the job
scheduling tool I mentioned- the `pam_handle_t` object is passed with
an uninitialized `pam_conversation` field.
Long story short: the `conv->conv()` function pointer called in
pam_rsbac.c:111 has to be checked, because it might not have been
initialized by the code that uses PAM with the RSBAC module.
RSBAC-admin v1.4.9 - Linux-PAM v1.2.1
HTH.
Regards,
--
Frank LENORMAND
RTEC - Russian Telecom Equipment Company
Senior software engineer developer
More information about the rsbac
mailing list