Bug 756

Created attachment 484 [details]
Proposed fix

$ sudo id  
sudo: au_preselect: Bad file number
Segmentation Fault (core dumped)


The problem is that in sudoers_policy_main the function audit_success fails and
skips call to sudoers_policy_exec_setup. Because of that command_info is unset
in main and the app crashes in iolog_deserialize_info.


(dbx) next
t@1 (l@1) signal SEGV (no mapping at the fault address) in iolog_deserialize_info at line 410 in file "iolog.c"
  410       for (cur = command_info; *cur != NULL; cur++) {
(dbx) where
current thread: t@1
=>[1] iolog_deserialize_info(details = 0x80477a0, user_info = 0x80843b8, command_info = (nil)) (optimized), at 0xfe9633f3 (line ~410) in "iolog.c"
  [2] sudoers_io_open(version = 65544U, conversation = 0x8055874 = &sudo_conversation(), plugin_printf = 0x8055a58 = &sudo_conversation_printf(), settings = 0x808cba8, user_info = 0x80843b8, command_info = (nil), argc = 1, argv = 0x8047cec, user_env = 0x8047cf4, args = (nil)) (optimized), at 0xfe963cd6 (line ~608) in "iolog.c"
  [3] iolog_open(plugin = 0x8086ee8, settings = 0x807eea8, user_info = 0x80843b8, command_info = (nil), argc = 1, argv = 0x8047cec, user_env = 0x8047cf4) (optimized), at 0x80630a2 (line ~1375) in "sudo.c"
  [4] main(argc = 2, argv = 0x8047ce8, envp = 0x8047cf4) (optimized), at 0x805fed1 (line ~255) in "sudo.c"


(dbx) list
  410       for (cur = command_info; *cur != NULL; cur++) {
  411           switch (**cur) {
  412           case 'c':
  413               if (strncmp(*cur, "command=", sizeof("command=") - 1) == 0) {
  414                   details->command = *cur + sizeof("command=") - 1;
  415                   continue;
  416               }
  417               break;
  418           case 'i':
  419               if (strncmp(*cur, "iolog_path=", sizeof("iolog_path=") - 1) == 0) {


Without deeper knowledge it seems to be easy fix - 'goto bad' instead of 'goto
done' when audit_success fails.


Thank you
__ 
  Vlad