Bug 308

Summary: double free or corruption with long host name
Product: Sudo Reporter: joshua.gallagher
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: joshua.gallagher
Priority: normal    
Version: 1.6.9   
Hardware: PC   
OS: Linux   
Attachments: Force hostname buffer to be NUL terminated.
Force hostname buffer to be NUL terminated.

Description joshua.gallagher 2008-10-28 14:10:16 MDT 
Description:
If my host name is long (tested 64-characters) sudo fails with a "double free or corruption" when inserting a kernel module.

sudo and OS details:
jgallagher@magus:~$ sudo -V
Sudo version 1.6.9p10
jgallagher@magus:~$ uname -a
Linux magus 2.6.24-21-generic #1 SMP Tue Oct 21 23:43:45 UTC 2008 i686 GNU/Linux

With a short host name of 'magus', insert and remove a kernel module:
jgallagher@magus:~$ sudo insmod ./6056/client/linux/fs/maxifs/maxifs.ko
jgallagher@magus:~$ sudo rmmod maxifs.ko

Linux supports 64-character host names.  Set my host name to something 64-characters long and try re-inserting the same module:
jgallagher@magus:~$ sudo hostname 1234567890123456789012345678901234567890123456789012345678901234
jgallagher@magus:~$ sudo insmod ./6056/client/linux/fs/maxifs/maxifs.ko
*** glibc detected *** sudo: double free or corruption (out): 0x080591d8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e52a85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e564f0]
sudo[0x804efbf]
sudo[0x8050050]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dfd450]
sudo[0x804a551]
======= Memory map: ========
08048000-08062000 r-xp 00000000 08:02 3736531    /usr/bin/sudo
08062000-08064000 rw-p 00019000 08:02 3736531    /usr/bin/sudo
08064000-08087000 rw-p 08064000 00:00 0          [heap]
b7c00000-b7c21000 rw-p b7c00000 00:00 0 
b7c21000-b7d00000 ---p b7c21000 00:00 0 
b7da5000-b7daf000 r-xp 00000000 08:02 5406765    /lib/libgcc_s.so.1
b7daf000-b7db0000 rw-p 0000a000 08:02 5406765    /lib/libgcc_s.so.1
b7db0000-b7db9000 r-xp 00000000 08:02 5407101    /lib/tls/i686/cmov/libnss_files-2.7.so
b7db9000-b7dbb000 rw-p 00008000 08:02 5407101    /lib/tls/i686/cmov/libnss_files-2.7.so
b7dbb000-b7dc3000 r-xp 00000000 08:02 5407103    /lib/tls/i686/cmov/libnss_nis-2.7.so
b7dc3000-b7dc5000 rw-p 00007000 08:02 5407103    /lib/tls/i686/cmov/libnss_nis-2.7.so
b7dc5000-b7dd9000 r-xp 00000000 08:02 5407098    /lib/tls/i686/cmov/libnsl-2.7.so
b7dd9000-b7ddb000 rw-p 00013000 08:02 5407098    /lib/tls/i686/cmov/libnsl-2.7.so
b7ddb000-b7ddd000 rw-p b7ddb000 00:00 0 
b7ddd000-b7de4000 r-xp 00000000 08:02 5407099    /lib/tls/i686/cmov/libnss_compat-2.7.so
b7de4000-b7de6000 rw-p 00006000 08:02 5407099    /lib/tls/i686/cmov/libnss_compat-2.7.so
b7de6000-b7de7000 rw-p b7de6000 00:00 0 
b7de7000-b7f30000 r-xp 00000000 08:02 5407091    /lib/tls/i686/cmov/libc-2.7.so
b7f30000-b7f31000 r--p 00149000 08:02 5407091    /lib/tls/i686/cmov/libc-2.7.so
b7f31000-b7f33000 rw-p 0014a000 08:02 5407091    /lib/tls/i686/cmov/libc-2.7.so
b7f33000-b7f37000 rw-p b7f33000 00:00 0 
b7f37000-b7f39000 r-xp 00000000 08:02 5407095    /lib/tls/i686/cmov/libdl-2.7.so
b7f39000-b7f3b000 rw-p 00001000 08:02 5407095    /lib/tls/i686/cmov/libdl-2.7.so
b7f3b000-b7f44000 r-xp 00000000 08:02 5406753    /lib/libpam.so.0.81.6
b7f44000-b7f45000 rw-p 00008000 08:02 5406753    /lib/libpam.so.0.81.6
b7f55000-b7f57000 rw-p b7f55000 00:00 0 
b7f57000-b7f58000 r-xp b7f57000 00:00 0          [vdso]
b7f58000-b7f72000 r-xp 00000000 08:02 5406902    /lib/ld-2.7.so
b7f72000-b7f74000 rw-p 00019000 08:02 5406902    /lib/ld-2.7.so
bfaef000-bfb04000 rw-p bffeb000 00:00 0          [stack]
Aborted
jgallagher@magus:~$
Comment 1 Todd C. Miller 2008-10-28 14:19:24 MDT 
Sudo expects gethostname() to NUL terminate the buffer, but it sounds like on Linux with a 64 char hostname this is not happening.  Please try the attached patch and see if it solves the problem for you.
Comment 2 Todd C. Miller 2008-10-28 14:20:06 MDT 
Created attachment 234 [details]
Force hostname buffer to be NUL terminated.
Comment 3 joshua.gallagher 2008-10-28 15:37:42 MDT 
This bug was raised against Sudo version 1.6.9p10

I download the latest code and repeated by test.  When running sudo-1.6.9p17 I get the following:
sudo: can't get hostname: Success

So, it seems like between p10 and p17 this has been bullet proofed a little bit.
Comment 4 joshua.gallagher 2008-10-28 15:49:30 MDT 
I applied your patch and I'm getting the same error I mentioned in my last post:
./sudo insmod /home/jgallagher/6056/client/linux/fs/maxifs/maxifs.ko
sudo: can't get hostname: Success

Not knowing the code, it almost suggests that the p10 to p17 changes error check against the situation where the gethostname() returns something it doesn't like and never gets to be evaluated by your new code.
Comment 5 Todd C. Miller 2008-10-28 17:02:56 MDT 
That probably indicates that the length passed in to gethostname() should include the extra byte for the NUL.  I hadn't noticed you were running 1.6.9p10.  I've updated the diff attached to the bug.
Comment 6 Todd C. Miller 2008-10-28 17:03:42 MDT 
The content of attachment 234 [details] has been deleted by
    Todd C Miller <Todd.Miller@courtesan.com>
without providing any reason.

The token used to delete this attachment was generated at 2008-10-28 17:03:32 EST5EDT.
Comment 7 Todd C. Miller 2008-10-28 17:04:14 MDT 
Created attachment 235 [details]
Force hostname buffer to be NUL terminated.
Comment 8 joshua.gallagher 2008-10-28 17:36:09 MDT 
Perfect!

Insmod my kernel module using the patched version of the code, located in my local sudo-1.6.9p17 directory:
jgallagher@magus:~/sudo-1.6.9p17$ ./sudo insmod ../6056/client/linux/fs/maxifs/maxifs.ko

Prove that my hostname is still set to the long name (irrespective of my bash prompt).
jgallagher@magus:~/sudo-1.6.9p17$ hostname
1234567890123456789012345678901234567890123456789012345678901234

Prove that the module was inserted:
jgallagher@magus:~/sudo-1.6.9p17$ lsmod |grep maxifs
maxifs                 39760  0 

Remove the module and perform the insert using the sudo in my path, i.e. the unpatched sudo-1.6.9p10, to prove that it still fails:
jgallagher@magus:~/sudo-1.6.9p17$ ./sudo rmmod maxifs.ko
jgallagher@magus:~/sudo-1.6.9p17$ sudo insmod ../6056/client/linux/fs/maxifs/maxifs.ko
*** glibc detected *** sudo: double free or corruption (out): 0x080591d8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7edda85]
<snip>

-----------------------

I'd say it's fixed.  Thanks!