First Last Prev Next    This bug is not in your last search results.
Bug 544 - an attempt to erealloc efreed pointer when running without tty, results in a crash
an attempt to erealloc efreed pointer when running without tty, results in a ...
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.4
PC FreeBSD
: low security
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-11 20:58 MDT by mjguzik
Modified: 2012-03-12 15:58 MDT (History)
0 users

See Also:

Attachments
patch (292 bytes, application/octet-stream)
2012-03-11 20:58 MDT, mjguzik 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description mjguzik 2012-03-11 20:58:58 MDT 
Created attachment 333 [details]
patch

I'm running:
FreeBSD lap 9.0-BETA1 FreeBSD 9.0-BETA1 #0: Thu Jul 28 17:15:31 UTC 2011     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

sudo crashes when running without controlling terminal

Issue is already known - reported here:
http://lists.freebsd.org/pipermail/freebsd-current/2012-March/032420.html

How to reproduce:
$ ssh f@localhost "sudo"
sudo: (malloc) /usr/src/lib/libc/stdlib/malloc.c:2636: Failed assertion: "(run->regs_mask[elm] & (1U << bit)) == 0"

it fails because get_process_ttyname ereallocs() already efreed() buffer:

struct kinfo_proc *ki_proc = NULL;
for (i = 0; tty == NULL && i < 2; i++) {
... 
  ki_proc = erealloc(ki_proc, ....);
...

  efree(ki_proc);
}

I have no idea if this can be used to escalate privileges (probably not, but...), so to be safe I checked "security" severity to increase chances that you will look into this sooner. Sorry if this was wrong.
Comment 1 Todd C. Miller 2012-03-12 10:53:48 MDT 
Thanks, I've committed your fix.  It will be part of sudo 1.8.4p3
Comment 2 Todd C. Miller 2012-03-12 15:58:30 MDT 
Fixed in sudo 1.8.4p3, which is out now.
First Last Prev Next    This bug is not in your last search results.