NetBSD Problem Report #45326
From hauke@Espresso.Rhein-Neckar.DE Fri Sep 2 20:57:08 2011
Return-Path: <hauke@Espresso.Rhein-Neckar.DE>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 348CF63BBA1
for <gnats-bugs@gnats.NetBSD.org>; Fri, 2 Sep 2011 20:57:08 +0000 (UTC)
Message-Id: <201109022013.p82KD7xC001634@pizza.causeuse.org>
Date: Fri, 2 Sep 2011 22:13:07 +0200 (CEST)
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Reply-To: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
To: gnats-bugs@gnats.NetBSD.org
Cc: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Subject: security/sudo dies
X-Send-Pr-Version: 3.95
>Number: 45326
>Category: pkg
>Synopsis: security/sudo dies
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: kim
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Sep 02 21:00:00 +0000 2011
>Closed-Date: Mon Jan 20 10:02:24 +0000 2020
>Last-Modified: Mon Jan 20 10:02:24 +0000 2020
>Originator: Hauke Fath
>Release: NetBSD 5.99.55
>Organization:
Falling Raindrops
>Environment:
System: NetBSD pizza.causeuse.org 5.99.55 NetBSD 5.99.55 (PIZZA_PF) #0: Thu Sep 1 16:56:35 CEST 2011 hf@Hochstuhl:/var/obj/netbsd-builds/developer/sparc/sys/arch/sparc/compile/PIZZA_PF sparc
Architecture: sparc
Machine: sparc
>Description:
On this machine, security/sudo dies:
% /root/sudo-1.7.7 ls
Bus error
%
Unfortunately, I have not manged to let sudo dump core.
Setting kern.coredump.setid.dump = 1 doesn't help, and when
run from gdb, sudo busy-loops at 100% cpu until a 'kill -9'.
>How-To-Repeat:
Build security/sudo on -current gcc 4.5 sparc, find it doesn't.
>Fix:
Workaround: Downgrade to sudo 1.7.5, which works fine.
>Release-Note:
>Audit-Trail:
From: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@NetBSD.org, gnats-admin@NetBSD.org
Subject: Re: pkg/45326: security/sudo dies
Date: Tue, 6 Sep 2011 11:30:40 +0200
sudo appears to disable dumping core. In addition to setting
kern.coredump.setid.dump=1, building with
# Debugging aids
CFLAGS+= -g -DSUDO_DEVEL
INSTALL_UNSTRIPPED = yes
results in a proper core file.
[hauke@pizza] /<5>work/sudo-1.7.7 # gdb ./sudo /var/crash/sudo.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc--netbsdelf"...
Reading symbols from /usr/lib/libutil.so.7...done.
Loaded symbols for /usr/lib/libutil.so.7
Reading symbols from /usr/lib/libskey.so.2...done.
Loaded symbols for /usr/lib/libskey.so.2
Reading symbols from /usr/lib/libcrypt.so.1...done.
Loaded symbols for /usr/lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libsparc_v8.so.0...done.
Loaded symbols for /usr/lib/libsparc_v8.so.0
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
Core was generated by `sudo'.
Program terminated with signal 10, Bus error.
#0 0x00024bf0 in make_pwitem (pw=0x40269408, name=0x0) at ./pwutil.c:178
178 memcpy(newpw, pw, sizeof(struct passwd));
(gdb) bt
#0 0x00024bf0 in make_pwitem (pw=0x40269408, name=0x0) at ./pwutil.c:178
#1 0x00024dac in sudo_getpwuid (uid=100) at ./pwutil.c:252
#2 0x0001d250 in init_vars (envp=<value optimized out>) at ./sudo.c:661
#3 0x0001e0a8 in main (argc=2, argv=0xefffe9cc, envp=0xefffe9d8) at
./sudo.c:271
(gdb) print newpw
$1 = (struct passwd *) 0x4031c08c
(gdb) print pw
$2 = (const struct passwd *) 0x40269408
(gdb)
pwutil.c has
[...]
static struct cache_item *
make_pwitem(pw, name)
const struct passwd *pw;
const char *name;
{
char *cp;
const char *pw_shell;
size_t nsize, psize, csize, gsize, dsize, ssize, total;
struct cache_item *item;
struct passwd *newpw;
/* If shell field is empty, expand to _PATH_BSHELL. */
pw_shell = (pw->pw_shell == NULL || pw->pw_shell[0] == '\0')
? _PATH_BSHELL : pw->pw_shell;
/* Allocate in one big chunk for easy freeing. */
nsize = psize = csize = gsize = dsize = ssize = 0;
total = sizeof(struct cache_item) + sizeof(struct passwd);
FIELD_SIZE(pw, pw_name, nsize);
FIELD_SIZE(pw, pw_passwd, psize);
#ifdef HAVE_LOGIN_CAP_H
FIELD_SIZE(pw, pw_class, csize);
#endif
FIELD_SIZE(pw, pw_gecos, gsize);
FIELD_SIZE(pw, pw_dir, dsize);
/* Treat shell specially since we expand "" -> _PATH_BSHELL */
ssize = strlen(pw_shell) + 1;
total += ssize;
if (name != NULL)
total += strlen(name) + 1;
/* Allocate space for struct item, struct passwd and the strings. */
if ((item = malloc(total)) == NULL)
return NULL;
cp = (char *) item + sizeof(struct cache_item);
/*
* Copy in passwd contents and make strings relative to space
* at the end of the buffer.
*/
newpw = (struct passwd *) cp;
memcpy(newpw, pw, sizeof(struct passwd));
*BUS ERROR*
-- can somebody with sufficient SPARC fu comment on potential alignment
issues of the "cp = (char *) item ..." line?
hauke
See also <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640304>.
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-3281
From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/45326: security/sudo dies
Date: Sun, 18 Sep 2011 23:22:00 +0000
On Tue, Sep 06, 2011 at 09:35:03AM +0000, Hauke Fath wrote:
> /* Allocate space for struct item, struct passwd and the strings. */
> if ((item = malloc(total)) == NULL)
> return NULL;
> cp = (char *) item + sizeof(struct cache_item);
>
> /*
> * Copy in passwd contents and make strings relative to space
> * at the end of the buffer.
> */
> newpw = (struct passwd *) cp;
> memcpy(newpw, pw, sizeof(struct passwd));
> *BUS ERROR*
>
> -- can somebody with sufficient SPARC fu comment on potential alignment
> issues of the "cp = (char *) item ..." line?
Because item comes from malloc, it should be maximally aligned.
Therefore, it depends on what the compiler thinks the required
alignment of struct cache_item is, and that depends at least in part
on what's in it.
I've been meaning to go check before writing this response, but that
could add another two weeks' latency...
--
David A. Holland
dholland@netbsd.org
Responsible-Changed-From-To: pkg-manager->kim
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Thu, 22 Sep 2011 11:51:06 +0000
Responsible-Changed-Why:
Over to maintainer.
State-Changed-From-To: open->feedback
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Wed, 01 Jan 2020 15:29:06 +0000
State-Changed-Why:
This seems super stale. Is this still an issue with newer sudo versions?
State-Changed-From-To: feedback->closed
State-Changed-By: kim@NetBSD.org
State-Changed-When: Mon, 20 Jan 2020 10:02:24 +0000
State-Changed-Why:
I don't have a sparc to try with myself, but this is probably
not an issue anymore.
>Unformatted:
(Contact us)
$NetBSD: gnats-precook-prs,v 1.4 2018/12/21 14:20:20 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.