NetBSD Problem Report #43773
From www@NetBSD.org Tue Aug 17 19:36:18 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 10CB763BBEB
for <gnats-bugs@gnats.NetBSD.org>; Tue, 17 Aug 2010 19:36:18 +0000 (UTC)
Message-Id: <20100817193617.D228763BBBD@www.NetBSD.org>
Date: Tue, 17 Aug 2010 19:36:17 +0000 (UTC)
From: kotcauer.peter@pirosfeketefa.hu
Reply-To: kotcauer.peter@pirosfeketefa.hu
To: gnats-bugs@NetBSD.org
Subject: can not change password while pax_aslr turned on
X-Send-Pr-Version: www-1.0
>Number: 43773
>Category: security
>Synopsis: can not change password while pax_aslr turned on
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: security-officer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 17 19:40:00 +0000 2010
>Closed-Date: Fri Jan 04 01:22:05 +0000 2013
>Last-Modified: Fri Jan 04 01:22:05 +0000 2013
>Originator: Peter Kotcauer
>Release: 5.1 rc3
>Organization:
>Environment:
NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11:07 CEST 2010 peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
>Description:
chomsky# sysctl -w security.pax.aslr.enabled=0
security.pax.aslr.enabled: 1 -> 0
I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
After that, I couldn't change the root passwd.
With disabled aslr I can change the passwd.
chomsky# sysctl -w security.pax.aslr.enabled=0
security.pax.aslr.enabled: 1 -> 0
chomsky# passwd root
Changing password for root.
New Password:
Retype New Password:
chomsky# sysctl -w security.pax.aslr.enabled=1
security.pax.aslr.enabled: 0 -> 1
chomsky# passwd root
Changing password for root.
New Password:
Retype New Password:
Unable to rebuild local password database.
Unable to change auth token: error in service module
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, security-officer@netbsd.org,
gnats-admin@netbsd.org, security-alert@netbsd.org
Cc:
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 23:29:38 +0300
On Aug 17, 7:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter@pirosfeketefa.hu) wrote:
-- Subject: security/43773: can not change password while pax_aslr turned on
| >Number: 43773
| >Category: security
| >Synopsis: can not change password while pax_aslr turned on
| >Confidential: no
| >Severity: serious
| >Priority: high
| >Responsible: security-officer
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Tue Aug 17 19:40:00 +0000 2010
| >Originator: Peter Kotcauer
| >Release: 5.1 rc3
| >Organization:
| >Environment:
| NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11:07 CEST 2010 peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
|
| >Description:
| chomsky# sysctl -w security.pax.aslr.enabled=0
| security.pax.aslr.enabled: 1 -> 0
| I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
|
| After that, I couldn't change the root passwd.
| With disabled aslr I can change the passwd.
|
| chomsky# sysctl -w security.pax.aslr.enabled=0
| security.pax.aslr.enabled: 1 -> 0
| chomsky# passwd root
| Changing password for root.
| New Password:
| Retype New Password:
| chomsky# sysctl -w security.pax.aslr.enabled=1
| security.pax.aslr.enabled: 0 -> 1
| chomsky# passwd root
| Changing password for root.
| New Password:
| Retype New Password:
| Unable to rebuild local password database.
| Unable to change auth token: error in service module
Can you ktrace -i it?
christos
From: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>
To: gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 22:42:30 +0200
2010/8/17 Christos Zoulas <christos@zoulas.com>:
> The following reply was made to PR security/43773; it has been noted by G=
NATS.
>
> From: christos@zoulas.com (Christos Zoulas)
> To: gnats-bugs@NetBSD.org, security-officer@netbsd.org,
> =A0 =A0 =A0 =A0gnats-admin@netbsd.org, security-alert@netbsd.org
> Cc:
> Subject: Re: security/43773: can not change password while pax_aslr turne=
d on
> Date: Tue, 17 Aug 2010 23:29:38 +0300
>
> =A0On Aug 17, =A07:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter@=
pirosfeketefa.hu) wrote:
> =A0-- Subject: security/43773: can not change password while pax_aslr tur=
ned on
>
> =A0| >Number: =A0 =A0 =A0 =A0 43773
> =A0| >Category: =A0 =A0 =A0 security
> =A0| >Synopsis: =A0 =A0 =A0 can not change password while pax_aslr turned=
on
> =A0| >Confidential: =A0 no
> =A0| >Severity: =A0 =A0 =A0 serious
> =A0| >Priority: =A0 =A0 =A0 high
> =A0| >Responsible: =A0 =A0security-officer
> =A0| >State: =A0 =A0 =A0 =A0 =A0open
> =A0| >Class: =A0 =A0 =A0 =A0 =A0sw-bug
> =A0| >Submitter-Id: =A0 net
> =A0| >Arrival-Date: =A0 Tue Aug 17 19:40:00 +0000 2010
> =A0| >Originator: =A0 =A0 Peter Kotcauer
> =A0| >Release: =A0 =A0 =A0 =A05.1 rc3
> =A0| >Organization:
> =A0| >Environment:
> =A0| NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11=
:07 CEST 2010 =A0peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
> =A0|
> =A0| >Description:
> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
> =A0| security.pax.aslr.enabled: 1 -> 0
> =A0| I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
> =A0|
> =A0| After that, I couldn't change the root passwd.
> =A0| With disabled aslr I can change the passwd.
> =A0|
> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
> =A0| security.pax.aslr.enabled: 1 -> 0
> =A0| chomsky# passwd root
> =A0| Changing password for root.
> =A0| New Password:
> =A0| Retype New Password:
> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D1
> =A0| security.pax.aslr.enabled: 0 -> 1
> =A0| chomsky# passwd root
> =A0| Changing password for root.
> =A0| New Password:
> =A0| Retype New Password:
> =A0| Unable to rebuild local password database.
> =A0| Unable to change auth token: error in service module
>
> =A0Can you ktrace -i it?
>
> =A0christos
>
Sure:
http://pirosfeketefa.hu/ktrace.dump
Regards,
P
From: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>
To: gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 22:45:38 +0200
Kotcauer P=E9ter <kotcauer.peter@pirosfeketefa.hu> =EDrta (2010. augusztus
17. 22:42):
> 2010/8/17 Christos Zoulas <christos@zoulas.com>:
>> The following reply was made to PR security/43773; it has been noted by =
GNATS.
>>
>> From: christos@zoulas.com (Christos Zoulas)
>> To: gnats-bugs@NetBSD.org, security-officer@netbsd.org,
>> =A0 =A0 =A0 =A0gnats-admin@netbsd.org, security-alert@netbsd.org
>> Cc:
>> Subject: Re: security/43773: can not change password while pax_aslr turn=
ed on
>> Date: Tue, 17 Aug 2010 23:29:38 +0300
>>
>> =A0On Aug 17, =A07:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter=
@pirosfeketefa.hu) wrote:
>> =A0-- Subject: security/43773: can not change password while pax_aslr tu=
rned on
>>
>> =A0| >Number: =A0 =A0 =A0 =A0 43773
>> =A0| >Category: =A0 =A0 =A0 security
>> =A0| >Synopsis: =A0 =A0 =A0 can not change password while pax_aslr turne=
d on
>> =A0| >Confidential: =A0 no
>> =A0| >Severity: =A0 =A0 =A0 serious
>> =A0| >Priority: =A0 =A0 =A0 high
>> =A0| >Responsible: =A0 =A0security-officer
>> =A0| >State: =A0 =A0 =A0 =A0 =A0open
>> =A0| >Class: =A0 =A0 =A0 =A0 =A0sw-bug
>> =A0| >Submitter-Id: =A0 net
>> =A0| >Arrival-Date: =A0 Tue Aug 17 19:40:00 +0000 2010
>> =A0| >Originator: =A0 =A0 Peter Kotcauer
>> =A0| >Release: =A0 =A0 =A0 =A05.1 rc3
>> =A0| >Organization:
>> =A0| >Environment:
>> =A0| NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:1=
1:07 CEST 2010 =A0peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
>> =A0|
>> =A0| >Description:
>> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
>> =A0| security.pax.aslr.enabled: 1 -> 0
>> =A0| I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
>> =A0|
>> =A0| After that, I couldn't change the root passwd.
>> =A0| With disabled aslr I can change the passwd.
>> =A0|
>> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
>> =A0| security.pax.aslr.enabled: 1 -> 0
>> =A0| chomsky# passwd root
>> =A0| Changing password for root.
>> =A0| New Password:
>> =A0| Retype New Password:
>> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D1
>> =A0| security.pax.aslr.enabled: 0 -> 1
>> =A0| chomsky# passwd root
>> =A0| Changing password for root.
>> =A0| New Password:
>> =A0| Retype New Password:
>> =A0| Unable to rebuild local password database.
>> =A0| Unable to change auth token: error in service module
>>
>> =A0Can you ktrace -i it?
>>
>> =A0christos
>>
> Sure:
> http://pirosfeketefa.hu/ktrace.dump
So sorry, the right url is http://pirosfeketefa.hu/netbsd/ktrace.dump
P
From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>,
gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 23:49:48 +0300
On Aug 17, 10:42pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
-- Subject: Re: security/43773: can not change password while pax_aslr turned
| http://pirosfeketefa.hu/ktrace.dump
|
| Regards,
| P
-- End of excerpt from =?ISO-8859-1?Q?Kotcauer_P=E9ter?=
Not Found
The requested URL /ktrace.dump was not found on this server.
Apache Server at pirosfeketefa.hu Port 80
christos
From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>,
gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Wed, 18 Aug 2010 00:06:42 +0300
On Aug 17, 10:45pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
-- Subject: Re: security/43773: can not change password while pax_aslr turned
| So sorry, the right url is http://pirosfeketefa.hu/netbsd/ktrace.dump
Looks like pwd_mkdb exits with non-zero. I will make it syslog...
christos
From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>,
gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 24 Aug 2010 09:48:46 -0400
On Aug 17, 10:42pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
-- Subject: Re: security/43773: can not change password while pax_aslr turned
Fixed with:
Module Name: src
Committed By: christos
Date: Mon Aug 23 20:53:08 UTC 2010
Modified Files:
src/sys/kern: exec_subr.c kern_pax.c
Log Message:
Fix issues with stack allocation and pax aslr:
- since the size is unsigned, don't check just that it is > 0, but limit
it to the MAXSSIZ
- if the stack size is reduced because of aslr, make sure we reduce the
actual allocation by the same size so that the size does not wrap around.
NB: Must be pulled up to 5.x!
To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/kern/exec_subr.c
cvs rdiff -u -r1.23 -r1.24 src/sys/kern/kern_pax.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Will request a pullup.
christos
From: Pierre Pronchery <khorben@defora.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Wed, 4 Jan 2012 02:15:55 +0100
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
reviewing this problem report from Kotcauer Peter on August 17th 2010, I
believe that the issue reported was properly fixed in both the -current
and netbsd-5 branches. My tests on NetBSD/i386 (netbsd-5, as the
original report), NetBSD/amd64 (netbsd-5) and NetBSD/amd64 (-current)
are all successful.
HTH,
--=20
khorben
--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
iQIcBAEBAgAGBQJPA6hLAAoJEDU4cZknVYg+KIQP/3VVtqD2ws/VT4o2R/E5JvcH
awTsbQN85rBttOHCXoPdau1ew392pyXfc143Yv31X1o//6U9zYd+TrhqExEt0nSu
805x0t82h0tM+NTGJlNI8oZC4kesyE+vFOgs541C8hlCSDx/2uQsDxyRPUtGTIqo
AQloGB57vU3lLzxqb48J7lKIF3Rvt+DnTX1F8wTMdnuSnhkycR107+UZqDejpDau
pkjx1espg1muFaKqi016e2IJw/bSNGnJkFegZURy3kToYmfFREWE7FUHns3i/JIn
Yqy95fmnpVff2vVqpZITzIS8fVFlCSgUi9zp6NP7RhiBS4/KUKmZNdpdO2VOV5HN
KoIir1oulXzzWYYlyDKOihQz8UK4QtY88Q3sxI3RSTQ3DdmarYfncXSUkHD0LjR1
I3Sl/pbT0EFN6RFuzsziftIfW63KEFa0JMz0ohnSjJb8hpU4PbdQL/gD0NZ268HP
CG+jKmEmnX1LAxvcFkBeeqr8y7o5W8bV9S2qNE/nBfWSMnaXQgmjOUmyU0u4vG29
i/gb5uP3nXjtbqv5JlwJc+L7XZ8emAmYfp7VU20lN0uET4mUxCjxIDEgUNfBzgBE
skUVfPa4O0Dab2bDn9jYqEqqJ+mxHowR8L+BEHNjV0cD+A691kSJgDHnFb6i63uK
FB4/6qawMibgXIwc9iif
=wNmm
-----END PGP SIGNATURE-----
--SUOF0GtieIMvvwua--
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 04 Jan 2013 01:22:05 +0000
State-Changed-Why:
Tested out as fixed a year ago. If it's still not working
for you, please write in and let us know.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home