NetBSD Problem Report #45326

From hauke@Espresso.Rhein-Neckar.DE  Fri Sep  2 20:57:08 2011
Return-Path: <hauke@Espresso.Rhein-Neckar.DE>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 348CF63BBA1
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  2 Sep 2011 20:57:08 +0000 (UTC)
Message-Id: <201109022013.p82KD7xC001634@pizza.causeuse.org>
Date: Fri, 2 Sep 2011 22:13:07 +0200 (CEST)
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Reply-To: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
To: gnats-bugs@gnats.NetBSD.org
Cc: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Subject: security/sudo dies
X-Send-Pr-Version: 3.95

>Number:         45326
>Category:       pkg
>Synopsis:       security/sudo dies
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kim
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 02 21:00:00 +0000 2011
>Last-Modified:  Thu Sep 22 11:51:06 +0000 2011
>Originator:     Hauke Fath
>Release:        NetBSD 5.99.55
>Organization:
Falling Raindrops
>Environment:


System: NetBSD pizza.causeuse.org 5.99.55 NetBSD 5.99.55 (PIZZA_PF) #0: Thu Sep 1 16:56:35 CEST 2011 hf@Hochstuhl:/var/obj/netbsd-builds/developer/sparc/sys/arch/sparc/compile/PIZZA_PF sparc
Architecture: sparc
Machine: sparc
>Description:

	On this machine, security/sudo dies:

% /root/sudo-1.7.7 ls
Bus error
%

	Unfortunately, I have not manged to let sudo dump core.
	Setting kern.coredump.setid.dump = 1 doesn't help, and when 
	run from gdb, sudo busy-loops at 100% cpu until a 'kill -9'.

>How-To-Repeat:

	Build security/sudo on -current gcc 4.5 sparc, find it doesn't.

>Fix:
	Workaround: Downgrade to sudo 1.7.5, which works fine.

>Release-Note:

>Audit-Trail:
From: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@NetBSD.org, gnats-admin@NetBSD.org
Subject: Re: pkg/45326: security/sudo dies
Date: Tue, 6 Sep 2011 11:30:40 +0200

 sudo appears to disable dumping core. In addition to setting
 kern.coredump.setid.dump=1, building with

 # Debugging aids
 CFLAGS+=        -g -DSUDO_DEVEL
 INSTALL_UNSTRIPPED = yes

 results in a proper core file.

 [hauke@pizza] /<5>work/sudo-1.7.7 #  gdb ./sudo /var/crash/sudo.core
 GNU gdb 6.5
 Copyright (C) 2006 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "sparc--netbsdelf"...
 Reading symbols from /usr/lib/libutil.so.7...done.
 Loaded symbols for /usr/lib/libutil.so.7
 Reading symbols from /usr/lib/libskey.so.2...done.
 Loaded symbols for /usr/lib/libskey.so.2
 Reading symbols from /usr/lib/libcrypt.so.1...done.
 Loaded symbols for /usr/lib/libcrypt.so.1
 Reading symbols from /usr/lib/libz.so.1...done.
 Loaded symbols for /usr/lib/libz.so.1
 Reading symbols from /usr/lib/libsparc_v8.so.0...done.
 Loaded symbols for /usr/lib/libsparc_v8.so.0
 Reading symbols from /usr/lib/libc.so.12...done.
 Loaded symbols for /usr/lib/libc.so.12
 Reading symbols from /usr/libexec/ld.elf_so...done.
 Loaded symbols for /usr/libexec/ld.elf_so
 Core was generated by `sudo'.
 Program terminated with signal 10, Bus error.
 #0  0x00024bf0 in make_pwitem (pw=0x40269408, name=0x0) at ./pwutil.c:178
 178         memcpy(newpw, pw, sizeof(struct passwd));
 (gdb) bt
 #0  0x00024bf0 in make_pwitem (pw=0x40269408, name=0x0) at ./pwutil.c:178
 #1  0x00024dac in sudo_getpwuid (uid=100) at ./pwutil.c:252
 #2  0x0001d250 in init_vars (envp=<value optimized out>) at ./sudo.c:661
 #3  0x0001e0a8 in main (argc=2, argv=0xefffe9cc, envp=0xefffe9d8) at
 ./sudo.c:271
 (gdb) print newpw
 $1 = (struct passwd *) 0x4031c08c
 (gdb) print pw
 $2 = (const struct passwd *) 0x40269408
 (gdb)


 pwutil.c has

 [...]

 static struct cache_item *
 make_pwitem(pw, name)
     const struct passwd *pw;
     const char *name;
 {
     char *cp;
     const char *pw_shell;
     size_t nsize, psize, csize, gsize, dsize, ssize, total;
     struct cache_item *item;
     struct passwd *newpw;

     /* If shell field is empty, expand to _PATH_BSHELL. */
     pw_shell = (pw->pw_shell == NULL || pw->pw_shell[0] == '\0')
 	? _PATH_BSHELL : pw->pw_shell;

     /* Allocate in one big chunk for easy freeing. */
     nsize = psize = csize = gsize = dsize = ssize = 0;
     total = sizeof(struct cache_item) + sizeof(struct passwd);
     FIELD_SIZE(pw, pw_name, nsize);
     FIELD_SIZE(pw, pw_passwd, psize);
 #ifdef HAVE_LOGIN_CAP_H
     FIELD_SIZE(pw, pw_class, csize);
 #endif
     FIELD_SIZE(pw, pw_gecos, gsize);
     FIELD_SIZE(pw, pw_dir, dsize);
     /* Treat shell specially since we expand "" -> _PATH_BSHELL */
     ssize = strlen(pw_shell) + 1;
     total += ssize;
     if (name != NULL)
 	total += strlen(name) + 1;

     /* Allocate space for struct item, struct passwd and the strings. */
     if ((item = malloc(total)) == NULL)
 	    return NULL;
     cp = (char *) item + sizeof(struct cache_item);

     /*
      * Copy in passwd contents and make strings relative to space
      * at the end of the buffer.
      */
     newpw = (struct passwd *) cp;
     memcpy(newpw, pw, sizeof(struct passwd));
 *BUS ERROR*

 -- can somebody with sufficient SPARC fu comment on potential alignment
 issues of the "cp = (char *) item ..." line?

 	hauke


 See also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640304>.


 -- 
      The ASCII Ribbon Campaign                    Hauke Fath
 ()     No HTML/RTF in email            Institut für Nachrichtentechnik
 /\     No Word docs in email                     TU Darmstadt
      Respect for open standards              Ruf +49-6151-16-3281

From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/45326: security/sudo dies
Date: Sun, 18 Sep 2011 23:22:00 +0000

 On Tue, Sep 06, 2011 at 09:35:03AM +0000, Hauke Fath wrote:
  >      /* Allocate space for struct item, struct passwd and the strings. */
  >      if ((item = malloc(total)) == NULL)
  >  	    return NULL;
  >      cp = (char *) item + sizeof(struct cache_item);
  >  
  >      /*
  >       * Copy in passwd contents and make strings relative to space
  >       * at the end of the buffer.
  >       */
  >      newpw = (struct passwd *) cp;
  >      memcpy(newpw, pw, sizeof(struct passwd));
  >  *BUS ERROR*
  >  
  >  -- can somebody with sufficient SPARC fu comment on potential alignment
  >  issues of the "cp = (char *) item ..." line?

 Because item comes from malloc, it should be maximally aligned.
 Therefore, it depends on what the compiler thinks the required
 alignment of struct cache_item is, and that depends at least in part
 on what's in it.

 I've been meaning to go check before writing this response, but that
 could add another two weeks' latency...

 -- 
 David A. Holland
 dholland@netbsd.org

Responsible-Changed-From-To: pkg-manager->kim
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Thu, 22 Sep 2011 11:51:06 +0000
Responsible-Changed-Why:
Over to maintainer.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.