Bugzilla – Bug 766
"visudo -c" may crash in addr_matches_if()
Last modified: 2017-01-14 06:24:17 MST
The following statements in a sudoers file make visudo checker crash: Host_Alias LOCAL = 127.0.0.1 Defaults@LOCAL insults Here is a gdb session which highlights where the problem might come from: $ gdb -q -ex r --args ./plugins/sudoers/.libs/lt-visudo -cf <(printf 'Host_Alias LOCAL = 127.0.0.1\nDefaults@LOCAL insults\n') Reading symbols from ./plugins/sudoers/.libs/lt-visudo...done. Starting program: /home/nicolas/temporary_projects/src/sudo/plugins/sudoers/.libs/lt-visudo -cf /proc/self/fd/11 Program received signal SIGSEGV, Segmentation fault. 0x000002aaaaafc62d in addr_matches_if (n=0x2aaaad3b100 "127.0.0.1") at ./match_addr.c:69 69 SLIST_FOREACH(ifp, get_interfaces(), entries) { 0x000002aaaaafc5f0 <addr_matches+4912>: 48 8d a4 24 68 ff ff ff lea -0x98(%rsp),%rsp 0x000002aaaaafc5f8 <addr_matches+4920>: 48 89 14 24 mov %rdx,(%rsp) 0x000002aaaaafc5fc <addr_matches+4924>: 48 89 4c 24 08 mov %rcx,0x8(%rsp) 0x000002aaaaafc601 <addr_matches+4929>: 48 89 44 24 10 mov %rax,0x10(%rsp) 0x000002aaaaafc606 <addr_matches+4934>: 48 c7 c1 a2 70 00 00 mov $0x70a2,%rcx 0x000002aaaaafc60d <addr_matches+4941>: e8 e6 1d 00 00 callq 0x2aaaaafe3f8 <__afl_maybe_log> 0x000002aaaaafc612 <addr_matches+4946>: 48 8b 44 24 10 mov 0x10(%rsp),%rax 0x000002aaaaafc617 <addr_matches+4951>: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx 0x000002aaaaafc61c <addr_matches+4956>: 48 8b 14 24 mov (%rsp),%rdx 0x000002aaaaafc620 <addr_matches+4960>: 48 8d a4 24 98 00 00 00 lea 0x98(%rsp),%rsp 0x000002aaaaafc628 <addr_matches+4968>: e8 33 f0 fc ff callq 0x2aaaaacb660 <get_interfaces> => 0x000002aaaaafc62d <addr_matches+4973>: 48 8b 10 mov (%rax),%rdx 0x000002aaaaafc630 <addr_matches+4976>: 48 85 d2 test %rdx,%rdx 0x000002aaaaafc633 <addr_matches+4979>: 0f 84 55 0a 00 00 je 0x2aaaaafd08e <addr_matches+7630> 0x000002aaaaafc639 <addr_matches+4985>: 0f 1f 00 nopl (%rax) 0x000002aaaaafc63c <addr_matches+4988>: 48 8d a4 24 68 ff ff ff lea -0x98(%rsp),%rsp 0x000002aaaaafc644 <addr_matches+4996>: 48 89 14 24 mov %rdx,(%rsp) 0x000002aaaaafc648 <addr_matches+5000>: 48 89 4c 24 08 mov %rcx,0x8(%rsp) 0x000002aaaaafc64d <addr_matches+5005>: 48 89 44 24 10 mov %rax,0x10(%rsp) 0x000002aaaaafc652 <addr_matches+5010>: 48 c7 c1 f1 76 00 00 mov $0x76f1,%rcx 0x000002aaaaafc659 <addr_matches+5017>: e8 9a 1d 00 00 callq 0x2aaaaafe3f8 <__afl_maybe_log> 0x000002aaaaafc65e <addr_matches+5022>: 48 8b 44 24 10 mov 0x10(%rsp),%rax 0x000002aaaaafc663 <addr_matches+5027>: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx 0x000002aaaaafc668 <addr_matches+5032>: 48 8b 14 24 mov (%rsp),%rdx 0x000002aaaaafc66c <addr_matches+5036>: 48 8d a4 24 98 00 00 00 lea 0x98(%rsp),%rsp (gdb) bt #0 0x000002aaaaafc62d in addr_matches_if (n=0x2aaaad3b100 "127.0.0.1") at ./match_addr.c:69 #1 addr_matches (n=0x2aaaad3b100 "127.0.0.1") at ./match_addr.c:203 #2 0x000002aaaaafad59 in hostlist_matches (pw=pw@entry=0x2aaaad3d888, list=list@entry=0x2aaaad3b138) at ./match.c:281 #3 0x000002aaaaafae08 in hostlist_matches (pw=0x2aaaad3d888, list=<optimized out>) at ./match.c:286 #4 0x000002aaaaae4583 in default_binding_matches (what=<optimized out>, d=<optimized out>, d=<optimized out>) at ./defaults.c:678 #5 0x000002aaaaaeab6c in update_defaults (what=7, quiet=<optimized out>) at ./defaults.c:735 #6 0x000002aaaaab09eb in check_syntax (oldperms=true, strict=<optimized out>, quiet=<optimized out>, sudoers_file=0x3ffffffdde8 "/proc/self/fd/11") at ./visudo.c:967 #7 main (argc=<optimized out>, argv=<optimized out>) at ./visudo.c:235 (gdb) list 64 family = AF_INET; 65 } else { 66 debug_return_bool(false); 67 } 68 69 SLIST_FOREACH(ifp, get_interfaces(), entries) { 70 if (ifp->family != family) 71 continue; 72 switch (family) { 73 case AF_INET: (gdb) p get_interfaces() $1 = (struct interface *) 0x0 Function get_interfaces() always returns NULL in plugins/sudoers/visudo.c but its result is used without any check in addr_matches_if().
Fixed by https://www.sudo.ws/repos/sudo/rev/ff9001f126b5
Fixed in sudo 1.8.19p2, available now.