Bug 893

Summary: Crash in do_syslog() while doing sudoedit
Product: Sudo Reporter: Marek Tamaskovic <mtamasko>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.8.23   
Hardware: PC   
OS: Linux   

Description Marek Tamaskovic 2019-08-20 02:36:06 MDT 
Description of problem:
From coredump.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f5588902d6a in do_syslog (pri=1, msg=msg@entry=0x557f1dad17b0 "pam_open_session: System error ; TTY=pts/0 ; PWD=/home/appadmin ; COMMAND=sudoedit /etc/motd") at ./logging.c:109
109    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
(gdb) bt
#0  0x00007f5588902d6a in do_syslog (pri=1, msg=msg@entry=0x557f1dad17b0 "pam_open_session: System error ; TTY=pts/0 ; PWD=/home/appadmin ; COMMAND=sudoedit /etc/motd") at ./logging.c:109
#1  0x00007f5588904a11 in vlog_warning (flags=flags@entry=0, fmt=fmt@entry=0x7f558893786a "%s: %s", ap=ap@entry=0x7fffc5f73a30) at ./logging.c:547
#2  0x00007f5588904c56 in log_warningx (flags=flags@entry=0, fmt=fmt@entry=0x7f558893786a "%s: %s") at ./logging.c:614
#3  0x00007f55888f8142 in sudo_pam_begin_session (pw=<optimized out>, user_envp=0x557f1c00b110 <command_details+144>, auth=<optimized out>) at auth/pam.c:349
#4  0x00007f55888f6784 in sudo_auth_begin_session (pw=pw@entry=0x557f1dac2b60, user_env=user_env@entry=0x557f1c00b110 <command_details+144>) at auth/sudo_auth.c:369
#5  0x00007f558890731c in sudoers_policy_init_session (pwd=0x557f1dac2b60, user_env=0x557f1c00b110 <command_details+144>) at ./policy.c:839
#6  0x0000557f1bdfccb6 in policy_init_session (details=details@entry=0x557f1c00b080 <command_details>) at ./sudo.c:1262
#7  0x0000557f1bdf1c6f in exec_nopty (details=details@entry=0x557f1c00b080 <command_details>, cstat=cstat@entry=0x7fffc5f73dc0) at ./exec_nopty.c:352
#8  0x0000557f1bdeefda in sudo_execute (details=details@entry=0x557f1c00b080 <command_details>, cstat=cstat@entry=0x7fffc5f73dc0) at ./exec.c:410
#9  0x0000557f1bdfca12 in run_command (details=details@entry=0x557f1c00b080 <command_details>) at ./sudo.c:998
#10 0x0000557f1bdff479 in selinux_edit_copy_tfiles (times=0x7fffc5f73e40, nfiles=<optimized out>, tf=0x557f1dabf3c0, command_details=0x557f1c00b080 <command_details>) at ./sudo_edit.c:907
#11 sudo_edit (command_details=command_details@entry=0x557f1c00b080 <command_details>) at ./sudo_edit.c:1049
#12 0x0000557f1bded581 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ./sudo.c:290
(gdb) frame 0
#0  0x00007f5588902d6a in do_syslog (pri=1, msg=msg@entry=0x557f1dad17b0 "pam_open_session: System error ; TTY=pts/0 ; PWD=/home/appadmin ; COMMAND=sudoedit /etc/motd") at ./logging.c:109
109    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
(gdb) list +
104
105    /*
106     * Log the full line, breaking into multiple syslog(3) calls if necessary
107     */
108    fmt = _("%8s : %s");
109    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
110    for (p = msg; *p != '\0'; ) {
111len = strlen(p);
112if (len > maxlen) {
113    /*
(gdb) p msg
$2 = 0x557f1dad17b0 "pam_open_session: System error ; TTY=pts/0 ; PWD=/home/appadmin ; COMMAND=sudoedit /etc/motd"
(gdb) p pri
$3 = 1
(gdb) p maxlen
$1 = <optimized out>
(gdb) p fmt
$2 = 0x7f5588937dad "%8s : %s"
(gdb) p sudo_user_name
No symbol "sudo_user_name" in current context.
(gdb) p def_syslog_maxlen
No symbol "def_syslog_maxlen" in current context.
(gdb)


And is crashing source code:
static void
do_syslog(int pri, char *msg)
{
....
    fmt = _("%8s : %s");
    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); <<<<<<< ..


so, sudoedit crashed while trying to print this syslog:
 pam_open_session: System error ; TTY=pts/0 ; PWD=/home/appadmin ; COMMAND=sudoedit /etc/motd

strlen will dump core when passed an unallocated string, it looks the case here with user_name.

We provided testpackage to customer having this fix and it worked, so it mean user_name is NULL and do_syslog() crashed.

static void
do_syslog(int pri, char *msg)
{
....
    fmt = _("%8s : %s");
    if(!username){
    }else{
       return;
    }
    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));  
....


Version-Release number of selected component (if applicable):
sudo-1.8.23-3.el7.x86_64

How reproducible:
Always in customer's env

Steps to Reproduce:
1.
2.
3.

Actual results:
sudoedit crash

Expected results:


Additional info:
Comment 1 Todd C. Miller 2019-08-20 06:42:21 MDT 
This looks like a bug introduced by the redhat-specific patch sudo-1.8.6p7-logsudouser.patch
Comment 2 Todd C. Miller 2019-08-20 08:09:42 MDT 
For the record, I think you should just drop sudo-1.8.6p7-logsudouser.patch.  There should be no need for it and sudo compiled from source logs the correct user in /var/log/secure for me on RHEL 7.

Another useless patch that can be dropped is sudo-1.7.2p1-envdebug.patch
Comment 3 Marek Tamaskovic 2019-08-22 01:11:43 MDT 
Thank you, I will try and let you know.
Comment 4 Marek Tamaskovic 2019-08-26 01:47:45 MDT 
Solved. Thank you.