Bug 390

Summary: sends non-printable random characters in email if DNS is not working
Product: Sudo Reporter: Timo Juhani Lindfors <timo.lindfors>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: patrick2000, tjc
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   
See Also: https://launchpad.net/bugs/530073
Attachments: free logline and message only after their last uses

Description Timo Juhani Lindfors 2010-02-01 13:22:20 MST 
Created attachment 266 [details]
free logline and message only after their last uses

Steps to reproduce:
1) iptables -A INPUT -p udp --sport 53 -j DROP
2) sudo true

Expected results:
2) sudo sends a warning email that dns is broken

Actual results:
2) sudo sends a warning email that DNS is broken but the email contains
non-printable random characters. Here are some examples (filtered with
"cat -A" to escape those non-printable characters):

From root@fomalhaut.lan Mon Feb 01 16:50:59 2010$
Return-path: <root@fomalhaut.lan>$
Envelope-to: root@fomalhaut.lan$
Delivery-date: Mon, 01 Feb 2010 16:50:59 +0000$
Received: from root by fomalhaut with local (Exim 4.71)$
^I(envelope-from <root@fomalhaut.lan>)$
^Iid 1NbzTf-0006AP-21$
^Ifor root@fomalhaut.lan; Mon, 01 Feb 2010 16:50:19 +0000$
Date: Mon, 01 Feb 2010 16:50:19 +0000$
Message-Id: <E1NbzTf-0006AP-21@fomalhaut>$
To: root@fomalhaut.lan$
Auto-Submitted: auto-generated$
Subject: *** SECURITY information for fomalhaut ***$
From: root <root@fomalhaut.lan>$
$
fomalhaut : Feb  1 16:49:38 : root : ^PM-d^HM-8^PM-d^HM-8o resolve host
fomalhaut($


From root@fomalhaut.lan Mon Feb 01 17:15:10 2010$
Return-path: <root@fomalhaut.lan>$
Envelope-to: root@fomalhaut.lan$
Delivery-date: Mon, 01 Feb 2010 17:15:10 +0000$
Received: from root by fomalhaut with local (Exim 4.71)$
^I(envelope-from <root@fomalhaut.lan>)$
^Iid 1Nbzr4-0006FF-0r$
^Ifor root@fomalhaut.lan; Mon, 01 Feb 2010 17:14:30 +0000$
Date: Mon, 01 Feb 2010 17:14:30 +0000$
Message-Id: <E1Nbzr4-0006FF-0r@fomalhaut>$
To: root@fomalhaut.lan$
Auto-Submitted: auto-generated$
Subject: *** SECURITY information for fomalhaut ***$
From: root <root@fomalhaut.lan>$
$
fomalhaut : Feb  1 17:13:49 : root : ^PM-dM-|M-7^PM-dM-|M-7o resolve
host fomalhaut($

More info:
1) This happens every time DNS is broken.
2) This does not happen with sudo 1.6.9p17-2 in debian lenny.
3) strace shows

24020 execve("/usr/bin/sudo", ["sudo", "true"], [/* 29 vars */]) = 0
...
24020 write(2, "sudo", 4)               = 4
24020 write(2, ": ", 2)                 = 2
24020 write(2, "unable to resolve host fomalhaut", 32) = 32
24020 write(2, "\n", 1)                 = 1
24020 clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7ecb728) = 24023
24023 clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7ecb728) = 24024
24024 setsid()                          = 24024
24024 chdir("/")                        = 0
24024 open("/dev/null", O_RDWR)         = 5
...
24024 write(4, "To: root\nFrom: root\nAuto-Submitted:
auto-generated\nSubject: *** SECURITY information for fomalhaut
***\n\nfomalhaut : Feb  1 17:14:51 : root : \20\24\1\270\20\24\1\270o
resolve host fomalhaut(\n\n", 176) = 176

4) gdb shows me that
4.1) send_mail() is called with line that points to ""
4.2) after closefrom(STDERR_FILENO + 1); line no longer starts with \0
and shows

"\020\224\006¸\020\224\006¸o resolve host fomalhaut("

4.3) settings watchpoint for line[0] shows

Old value = 0
New value = 146555480
malloc_consolidate (av=0xb7f283c0) at malloc.c:5138
5138    malloc.c: No such file or directory.
        in malloc.c
Mon Feb  1 17:51:48 UTC 2010
(gdb) bt
#0  malloc_consolidate (av=0xb7f283c0) at malloc.c:5138
#1  0xb7e51e96 in _int_malloc (av=0xb7f283c0, bytes=32792) at
malloc.c:4360
#2  0xb7e542ce in *__GI___libc_malloc (bytes=32792) at malloc.c:3660
#3  0xb7e791b0 in __alloc_dir (fd=6, close_fd=true, statp=0x0) at
../sysdeps/unix/opendir.c:186
#4  0xb7e792f5 in __opendir (name=0x806925c "/proc/self/fd") at
../sysdeps/unix/opendir.c:141
#5  0x0805f439 in closefrom (lowfd=3) at ../closefrom.c:113
#6  0x0805823d in send_mail (line=0x8bc5040 "XB¼\ble to resolve host
fomalhaut") at ../logging.c:504
#7  0x08058074 in log_error (flags=9, fmt=0x8068c06 "unable to resolve
host %s") at ../logging.c:400
#8  0x0805d3dd in set_fqdn () at ../sudo.c:1342
#9  0x0805c465 in init_vars (sudo_mode=1, envp=0xbfd935f0) at
../sudo.c:721
#10 0x0805b4d1 in main (argc=2, argv=0xbfd935e4, envp=0xbfd935f0) at
../sudo.c:275

5) Then I looked at log_error and noticed:

evasprintf(&message, fmt, ap); // allocates memory
...
logline = message;
...
efree(message); // frees the memory
...
send_mail(logline); // uses the free'd memory!

Proposed patch is attached.
Comment 1 Todd C. Miller 2010-02-01 14:41:39 MST 
Thanks, that fix looks correct and will be in the next sudo patchlevel.
Comment 2 Toby Corkindale 2010-04-20 02:42:44 MDT 
This bug is showing up on the version of sudo in Ubuntu 9.10, where the version is reported as 1.7.0-1ubuntu2.2

I'll add their Launchpad address to the see also urls above.
Comment 3 Todd C. Miller 2010-05-07 13:18:24 MDT 
*** Bug 408 has been marked as a duplicate of this bug. ***