NetBSD Problem Report #43773

From www@NetBSD.org  Tue Aug 17 19:36:18 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 10CB763BBEB
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 17 Aug 2010 19:36:18 +0000 (UTC)
Message-Id: <20100817193617.D228763BBBD@www.NetBSD.org>
Date: Tue, 17 Aug 2010 19:36:17 +0000 (UTC)
From: kotcauer.peter@pirosfeketefa.hu
Reply-To: kotcauer.peter@pirosfeketefa.hu
To: gnats-bugs@NetBSD.org
Subject: can not change password while pax_aslr turned on
X-Send-Pr-Version: www-1.0

>Number:         43773
>Category:       security
>Synopsis:       can not change password while pax_aslr turned on
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 17 19:40:00 +0000 2010
>Closed-Date:    Fri Jan 04 01:22:05 +0000 2013
>Last-Modified:  Fri Jan 04 01:22:05 +0000 2013
>Originator:     Peter Kotcauer
>Release:        5.1 rc3
>Organization:
>Environment:
NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11:07 CEST 2010  peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386

>Description:
chomsky# sysctl -w security.pax.aslr.enabled=0
security.pax.aslr.enabled: 1 -> 0
I compiled a custom kernel with pax_aslr and pax_mprotect enabled.

After that, I couldn't change the root passwd.
With disabled aslr I can change the passwd.

chomsky# sysctl -w security.pax.aslr.enabled=0
security.pax.aslr.enabled: 1 -> 0
chomsky# passwd root
Changing password for root.
New Password:
Retype New Password:
chomsky# sysctl -w security.pax.aslr.enabled=1
security.pax.aslr.enabled: 0 -> 1
chomsky# passwd root
Changing password for root.
New Password:
Retype New Password:
Unable to rebuild local password database.
Unable to change auth token: error in service module

>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, security-officer@netbsd.org, 
	gnats-admin@netbsd.org, security-alert@netbsd.org
Cc: 
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 23:29:38 +0300

 On Aug 17,  7:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter@pirosfeketefa.hu) wrote:
 -- Subject: security/43773: can not change password while pax_aslr turned on

 | >Number:         43773
 | >Category:       security
 | >Synopsis:       can not change password while pax_aslr turned on
 | >Confidential:   no
 | >Severity:       serious
 | >Priority:       high
 | >Responsible:    security-officer
 | >State:          open
 | >Class:          sw-bug
 | >Submitter-Id:   net
 | >Arrival-Date:   Tue Aug 17 19:40:00 +0000 2010
 | >Originator:     Peter Kotcauer
 | >Release:        5.1 rc3
 | >Organization:
 | >Environment:
 | NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11:07 CEST 2010  peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
 | 
 | >Description:
 | chomsky# sysctl -w security.pax.aslr.enabled=0
 | security.pax.aslr.enabled: 1 -> 0
 | I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
 | 
 | After that, I couldn't change the root passwd.
 | With disabled aslr I can change the passwd.
 | 
 | chomsky# sysctl -w security.pax.aslr.enabled=0
 | security.pax.aslr.enabled: 1 -> 0
 | chomsky# passwd root
 | Changing password for root.
 | New Password:
 | Retype New Password:
 | chomsky# sysctl -w security.pax.aslr.enabled=1
 | security.pax.aslr.enabled: 0 -> 1
 | chomsky# passwd root
 | Changing password for root.
 | New Password:
 | Retype New Password:
 | Unable to rebuild local password database.
 | Unable to change auth token: error in service module

 Can you ktrace -i it?

 christos

From: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>
To: gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org, 
	security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 22:42:30 +0200

 2010/8/17 Christos Zoulas <christos@zoulas.com>:
 > The following reply was made to PR security/43773; it has been noted by G=
 NATS.
 >
 > From: christos@zoulas.com (Christos Zoulas)
 > To: gnats-bugs@NetBSD.org, security-officer@netbsd.org,
 > =A0 =A0 =A0 =A0gnats-admin@netbsd.org, security-alert@netbsd.org
 > Cc:
 > Subject: Re: security/43773: can not change password while pax_aslr turne=
 d on
 > Date: Tue, 17 Aug 2010 23:29:38 +0300
 >
 > =A0On Aug 17, =A07:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter@=
 pirosfeketefa.hu) wrote:
 > =A0-- Subject: security/43773: can not change password while pax_aslr tur=
 ned on
 >
 > =A0| >Number: =A0 =A0 =A0 =A0 43773
 > =A0| >Category: =A0 =A0 =A0 security
 > =A0| >Synopsis: =A0 =A0 =A0 can not change password while pax_aslr turned=
  on
 > =A0| >Confidential: =A0 no
 > =A0| >Severity: =A0 =A0 =A0 serious
 > =A0| >Priority: =A0 =A0 =A0 high
 > =A0| >Responsible: =A0 =A0security-officer
 > =A0| >State: =A0 =A0 =A0 =A0 =A0open
 > =A0| >Class: =A0 =A0 =A0 =A0 =A0sw-bug
 > =A0| >Submitter-Id: =A0 net
 > =A0| >Arrival-Date: =A0 Tue Aug 17 19:40:00 +0000 2010
 > =A0| >Originator: =A0 =A0 Peter Kotcauer
 > =A0| >Release: =A0 =A0 =A0 =A05.1 rc3
 > =A0| >Organization:
 > =A0| >Environment:
 > =A0| NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:11=
 :07 CEST 2010 =A0peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
 > =A0|
 > =A0| >Description:
 > =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
 > =A0| security.pax.aslr.enabled: 1 -> 0
 > =A0| I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
 > =A0|
 > =A0| After that, I couldn't change the root passwd.
 > =A0| With disabled aslr I can change the passwd.
 > =A0|
 > =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
 > =A0| security.pax.aslr.enabled: 1 -> 0
 > =A0| chomsky# passwd root
 > =A0| Changing password for root.
 > =A0| New Password:
 > =A0| Retype New Password:
 > =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D1
 > =A0| security.pax.aslr.enabled: 0 -> 1
 > =A0| chomsky# passwd root
 > =A0| Changing password for root.
 > =A0| New Password:
 > =A0| Retype New Password:
 > =A0| Unable to rebuild local password database.
 > =A0| Unable to change auth token: error in service module
 >
 > =A0Can you ktrace -i it?
 >
 > =A0christos
 >
 Sure:
 http://pirosfeketefa.hu/ktrace.dump

 Regards,
 P

From: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>
To: gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org, 
	security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 22:45:38 +0200

 Kotcauer P=E9ter <kotcauer.peter@pirosfeketefa.hu> =EDrta (2010. augusztus
 17. 22:42):
 > 2010/8/17 Christos Zoulas <christos@zoulas.com>:
 >> The following reply was made to PR security/43773; it has been noted by =
 GNATS.
 >>
 >> From: christos@zoulas.com (Christos Zoulas)
 >> To: gnats-bugs@NetBSD.org, security-officer@netbsd.org,
 >> =A0 =A0 =A0 =A0gnats-admin@netbsd.org, security-alert@netbsd.org
 >> Cc:
 >> Subject: Re: security/43773: can not change password while pax_aslr turn=
 ed on
 >> Date: Tue, 17 Aug 2010 23:29:38 +0300
 >>
 >> =A0On Aug 17, =A07:40pm, kotcauer.peter@pirosfeketefa.hu (kotcauer.peter=
 @pirosfeketefa.hu) wrote:
 >> =A0-- Subject: security/43773: can not change password while pax_aslr tu=
 rned on
 >>
 >> =A0| >Number: =A0 =A0 =A0 =A0 43773
 >> =A0| >Category: =A0 =A0 =A0 security
 >> =A0| >Synopsis: =A0 =A0 =A0 can not change password while pax_aslr turne=
 d on
 >> =A0| >Confidential: =A0 no
 >> =A0| >Severity: =A0 =A0 =A0 serious
 >> =A0| >Priority: =A0 =A0 =A0 high
 >> =A0| >Responsible: =A0 =A0security-officer
 >> =A0| >State: =A0 =A0 =A0 =A0 =A0open
 >> =A0| >Class: =A0 =A0 =A0 =A0 =A0sw-bug
 >> =A0| >Submitter-Id: =A0 net
 >> =A0| >Arrival-Date: =A0 Tue Aug 17 19:40:00 +0000 2010
 >> =A0| >Originator: =A0 =A0 Peter Kotcauer
 >> =A0| >Release: =A0 =A0 =A0 =A05.1 rc3
 >> =A0| >Organization:
 >> =A0| >Environment:
 >> =A0| NetBSD chomsky 5.1_RC3 NetBSD 5.1_RC3 (chomsky) #2: Tue Aug 17 21:1=
 1:07 CEST 2010 =A0peter@chomsky:/usr/obj/sys/arch/i386/compile/chomsky i386
 >> =A0|
 >> =A0| >Description:
 >> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
 >> =A0| security.pax.aslr.enabled: 1 -> 0
 >> =A0| I compiled a custom kernel with pax_aslr and pax_mprotect enabled.
 >> =A0|
 >> =A0| After that, I couldn't change the root passwd.
 >> =A0| With disabled aslr I can change the passwd.
 >> =A0|
 >> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D0
 >> =A0| security.pax.aslr.enabled: 1 -> 0
 >> =A0| chomsky# passwd root
 >> =A0| Changing password for root.
 >> =A0| New Password:
 >> =A0| Retype New Password:
 >> =A0| chomsky# sysctl -w security.pax.aslr.enabled=3D1
 >> =A0| security.pax.aslr.enabled: 0 -> 1
 >> =A0| chomsky# passwd root
 >> =A0| Changing password for root.
 >> =A0| New Password:
 >> =A0| Retype New Password:
 >> =A0| Unable to rebuild local password database.
 >> =A0| Unable to change auth token: error in service module
 >>
 >> =A0Can you ktrace -i it?
 >>
 >> =A0christos
 >>
 > Sure:
 > http://pirosfeketefa.hu/ktrace.dump

 So sorry, the right url is http://pirosfeketefa.hu/netbsd/ktrace.dump

 P

From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>, 
	gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org, 
	security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 17 Aug 2010 23:49:48 +0300

 On Aug 17, 10:42pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
 -- Subject: Re: security/43773: can not change password while pax_aslr turned

 | http://pirosfeketefa.hu/ktrace.dump
 | 
 | Regards,
 | P
 -- End of excerpt from =?ISO-8859-1?Q?Kotcauer_P=E9ter?=

     Not Found

     The requested URL /ktrace.dump was not found on this server.
     Apache Server at pirosfeketefa.hu Port 80

 christos

From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>, 
	gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org, 
	security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Wed, 18 Aug 2010 00:06:42 +0300

 On Aug 17, 10:45pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
 -- Subject: Re: security/43773: can not change password while pax_aslr turned

 | So sorry, the right url is http://pirosfeketefa.hu/netbsd/ktrace.dump

 Looks like pwd_mkdb exits with non-zero. I will make it syslog...

 christos

From: christos@zoulas.com (Christos Zoulas)
To: =?ISO-8859-1?Q?Kotcauer_P=E9ter?= <kotcauer.peter@pirosfeketefa.hu>, 
	gnats-bugs@netbsd.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org, 
	security-alert@netbsd.org
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Tue, 24 Aug 2010 09:48:46 -0400

 On Aug 17, 10:42pm, kotcauer.peter@pirosfeketefa.hu (=?ISO-8859-1?Q?Kotcauer_P=E9ter?=) wrote:
 -- Subject: Re: security/43773: can not change password while pax_aslr turned

 Fixed with:

 Module Name:    src
 Committed By:   christos
 Date:           Mon Aug 23 20:53:08 UTC 2010

 Modified Files:
         src/sys/kern: exec_subr.c kern_pax.c

 Log Message:
 Fix issues with stack allocation and pax aslr:
 - since the size is unsigned, don't check just that it is > 0, but limit
   it to the MAXSSIZ
 - if the stack size is reduced because of aslr, make sure we reduce the
   actual allocation by the same size so that the size does not wrap around.
 NB: Must be pulled up to 5.x!


 To generate a diff of this commit:
 cvs rdiff -u -r1.64 -r1.65 src/sys/kern/exec_subr.c
 cvs rdiff -u -r1.23 -r1.24 src/sys/kern/kern_pax.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.


 Will request a pullup.

 christos

From: Pierre Pronchery <khorben@defora.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: security/43773: can not change password while pax_aslr turned on
Date: Wed, 4 Jan 2012 02:15:55 +0100

 --SUOF0GtieIMvvwua
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 			Hi,

 reviewing this problem report from Kotcauer Peter on August 17th 2010, I
 believe that the issue reported was properly fixed in both the -current
 and netbsd-5 branches. My tests on NetBSD/i386 (netbsd-5, as the
 original report), NetBSD/amd64 (netbsd-5) and NetBSD/amd64 (-current)
 are all successful.

 HTH,
 --=20
 khorben

 --SUOF0GtieIMvvwua
 Content-Type: application/pgp-signature
 Content-Disposition: inline

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (NetBSD)

 iQIcBAEBAgAGBQJPA6hLAAoJEDU4cZknVYg+KIQP/3VVtqD2ws/VT4o2R/E5JvcH
 awTsbQN85rBttOHCXoPdau1ew392pyXfc143Yv31X1o//6U9zYd+TrhqExEt0nSu
 805x0t82h0tM+NTGJlNI8oZC4kesyE+vFOgs541C8hlCSDx/2uQsDxyRPUtGTIqo
 AQloGB57vU3lLzxqb48J7lKIF3Rvt+DnTX1F8wTMdnuSnhkycR107+UZqDejpDau
 pkjx1espg1muFaKqi016e2IJw/bSNGnJkFegZURy3kToYmfFREWE7FUHns3i/JIn
 Yqy95fmnpVff2vVqpZITzIS8fVFlCSgUi9zp6NP7RhiBS4/KUKmZNdpdO2VOV5HN
 KoIir1oulXzzWYYlyDKOihQz8UK4QtY88Q3sxI3RSTQ3DdmarYfncXSUkHD0LjR1
 I3Sl/pbT0EFN6RFuzsziftIfW63KEFa0JMz0ohnSjJb8hpU4PbdQL/gD0NZ268HP
 CG+jKmEmnX1LAxvcFkBeeqr8y7o5W8bV9S2qNE/nBfWSMnaXQgmjOUmyU0u4vG29
 i/gb5uP3nXjtbqv5JlwJc+L7XZ8emAmYfp7VU20lN0uET4mUxCjxIDEgUNfBzgBE
 skUVfPa4O0Dab2bDn9jYqEqqJ+mxHowR8L+BEHNjV0cD+A691kSJgDHnFb6i63uK
 FB4/6qawMibgXIwc9iif
 =wNmm
 -----END PGP SIGNATURE-----

 --SUOF0GtieIMvvwua--

State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 04 Jan 2013 01:22:05 +0000
State-Changed-Why:
Tested out as fixed a year ago. If it's still not working
for you, please write in and let us know.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.