Bug 544

Summary: an attempt to erealloc efreed pointer when running without tty, results in a crash
Product: Sudo Reporter: mjguzik
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security    
Priority: low    
Version: 1.8.4   
Hardware: PC   
OS: FreeBSD   
Attachments: patch

Description mjguzik 2012-03-11 20:58:58 MDT 
Created attachment 333 [details]
patch

I'm running:
FreeBSD lap 9.0-BETA1 FreeBSD 9.0-BETA1 #0: Thu Jul 28 17:15:31 UTC 2011     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

sudo crashes when running without controlling terminal

Issue is already known - reported here:
http://lists.freebsd.org/pipermail/freebsd-current/2012-March/032420.html

How to reproduce:
$ ssh f@localhost "sudo"
sudo: (malloc) /usr/src/lib/libc/stdlib/malloc.c:2636: Failed assertion: "(run->regs_mask[elm] & (1U << bit)) == 0"

it fails because get_process_ttyname ereallocs() already efreed() buffer:

struct kinfo_proc *ki_proc = NULL;
for (i = 0; tty == NULL && i < 2; i++) {
... 
  ki_proc = erealloc(ki_proc, ....);
...

  efree(ki_proc);
}

I have no idea if this can be used to escalate privileges (probably not, but...), so to be safe I checked "security" severity to increase chances that you will look into this sooner. Sorry if this was wrong.
Comment 1 Todd C. Miller 2012-03-12 10:53:48 MDT 
Thanks, I've committed your fix.  It will be part of sudo 1.8.4p3
Comment 2 Todd C. Miller 2012-03-12 15:58:30 MDT 
Fixed in sudo 1.8.4p3, which is out now.