Bug 609

Summary: Segfault / Undefined behaviour caused by large UID
Product: Sudo Reporter: Pawel Wylecial <pawel.wylecial>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.5   
Hardware: PC   
OS: Linux   

Description Pawel Wylecial 2013-08-06 12:31:09 MDT 
Hello,

it seems that sudo has problems with large integers in UID - it wraps it to 2147483647 (0x7fffffff). I could not figure out, how to turn this into a security bug, its probably just unexpected behaviour.

adduser -u 2147483648 test1
add test1 to /etc/sudoers
test1@hive:/root$ id
uid=2147483648(test1) gid=2147483648 groups=2147483648
test1@hive:/root$ sudo
sudo: perm stack underflow: Invalid argument
sudo: unknown uid: 2147483647
Segmentation fault
test1@hive:/root$ 

when we add a user with uid 2147483647 and then go 
root@hive:~# su test1

this what happens:
test1@hive:/root$ id
uid=2147483648(test1) gid=2147483648 groups=2147483648
test1@hive:/root$ sudo #---- NO SEG FAULT NOW
usage: sudo [-D level] -h | -K | -k | -V
usage: sudo -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid]
usage: sudo -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user name] [-u user
            name|#uid] [-g groupname|#gid] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u
            user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u
            user name|#uid] file ...

test1@hive:/root$ sudo ls
[sudo] password for test1:  #password for test1 does not work
Sorry, try again.
[sudo] password for test1: 
test1@hive:/root$ sudo ls
[sudo] password for test1:  # now we give password for user with the uid 2147483647, it works but he is not in the sudoers file
test1 is not in the sudoers file.  This incident will be reported.

currently i only tested this on 1.8.5p2 version @ Linux kali 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali6 i686 GNU/Linux.
Comment 1 Todd C. Miller 2013-08-06 16:57:43 MDT 
I was able to reproduce the problem on a 32-bit Debian 6 VM.
Comment 2 Todd C. Miller 2013-08-06 17:07:08 MDT 
I'm unable to reproduce the problem using sudo 1.8.7. Can you give that a try?
Comment 3 Pawel Wylecial 2013-08-07 01:22:43 MDT 
Just checked, and i was also unable to reproduce it on 1.8.7.
Comment 4 Todd C. Miller 2013-08-07 13:09:48 MDT 
The problem has to do with the way the sudo front end passes the uid to the sudoers module.  On 32-bit systems the atoi() function will truncate large values to 0x7fffffff if it is implemented in terms of strtol().  

In sudo 1.8.7 the password database lookup is done by name instead of by uid so you don't see the problem.  Sudo 1.8.8 will include more robust uid/gid parsing that works properly for large uids/gids on 32-bit systems.
Comment 5 Todd C. Miller 2013-08-17 05:43:46 MDT 
The fix is present in sudo 1.8.8b1, which available now.
Comment 6 Todd C. Miller 2013-09-30 09:32:29 MDT 
Fixed in sudo 1.8.8