Bug 967

Summary: use after free in converse (plugins/sudoers/auth/pam.c)
Product: Sudo Reporter: Pavel Heimlich <tropikhajma>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.32   
Hardware: Sun   
OS: Solaris 2.x   
Attachments: patch

Description Pavel Heimlich 2021-03-03 07:41:20 MST 
Created attachment 553 [details]
patch

sudo can crash when using pam and running on a machine with adiheap (https://docs.oracle.com/cd/E37838_01/html/E61021/sysauth-adiheap.html) enabled.

$  ssh hajma@machine
Password:
Session Annotation: le
Last login: Tue Mar  2 04:53:39 2021 from 10.<redacted>
-bash-5.0$ sudo ls
Password:
Segmentation Fault
-bash-5.0$# pstack /var/cores/1521
core '/var/cores/1521' of 1521: sudo ls
 001ffe12fe125a84 converse (1, fffffdc0927045e8, 200000bc34b6af70, 1ffe12fe10e778, 0, 1ffe12fdf03828) + 2a4
 001ffe12fdf08684 pam_annotation (b00000bc34b6a310, 0, 1800, fffffdc0927045d0, 1ffe12fe00a000, fffffdc0927045e8) + 12c
 001ffe12fd704230 pam_sm_setcred (b00000bc34b6a310, 4, 0, fffffdc092704784, fffffdc0927060f0, 24) + db0
 001ffe12fdf05148 run_stack (b00000bc34b6a310, c00000bc34b790a0, 4, 1, 0, 2) + 368
 001ffe12fdf05ee4 pam_eval (b00000bc34b6a310, 500000bc34b71420, 1ffe12fdd011b8, 5f73657463726564, 1ffe12fe00a000, 1ffe12fdf02d3b) + 114
 001ffe12fdd015f4 pam_user_policy_common (b00000bc34b6a310, 19, 72, 300000bc34b6adf0, 1ffe12fdd0133a, 1ffe12fdd010d0) + 294
 001ffe12fdf05148 run_stack (b00000bc34b6a310, 200000bc34bcfe90, 4, 1, 0, 2) + 368
 001ffe12fdf056a8 pam_setcred (b00000bc34b6a310, ffffffffffef8c64, 107000, 200000bc34b5f290, 1ffe12fe00a000, 1ffe12fe00a000) + 38
 001ffe12fe124dd0 sudo_pam_begin_session (200000bc34b5f250, 100200620, 1340, 1ffe12fe1198a8, 1ffe12fe10e748, 85000) + 1a0
 001ffe12fe123c0c sudo_auth_begin_session (200000bc34b5f250, 100200620, 1ffe12fe27dfa8, 0, 850b8, 1ffe12fe27c000) + 8c
 001ffe12fe142a64 sudoers_policy_init_session (200000bc34b5f250, 100200620, 0, 1000, 850b8, 1ffe12fe27c000) + 74
 0000000100024ba0 policy_init_session (100200588, 100007038, 100009fa0, 100009, 100000, 1ffe12fe1429f0) + 2b0
 0000000100011de0 exec_nopty (100200588, fffffdc09270afc0, 62085, 1ffe12fe142880, 100007ac8, 100006a38) + 50
 000000010000d3f8 sudo_execute (100200588, fffffdc09270afc0, 3b8, 1000067c8, 1000072b8, 10f400) + 288
 0000000100020718 main (62085, 100000, 100200588, 100200000, 100201, 100006f70) + fd8
 000000010000b3f0 _start (0, 0, 0, 0, 0, 10012c000) + 110

sudo calls expand_prompt and uses that in pam_authenticate; but before
calling it it saves the current prompt in def_prompt.

But prompt is allocated and freed; now the Session prompt would
be used but because we are referring def_prompt we die there.

A simple fix is to set def_prompt back to PASSPROMPT after
pam_authenticate.


This is on Solaris 11.4. This is specific to sparc due to the adiheap feature that exposes the issue.
Comment 1 Todd C. Miller 2021-03-03 08:22:26 MST 
Thanks for the fix, it has been committed as https://www.sudo.ws/repos/sudo/rev/86bc6ee3c493
Comment 2 Todd C. Miller 2021-03-14 08:39:29 MDT 
Fixed in sudo 1.9.6