From nobody@FreeBSD.org  Sun Oct  1 17:18:02 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 616B416A70D
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  1 Oct 2006 17:18:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1342D43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  1 Oct 2006 17:18:02 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k91HI1tm070629
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 1 Oct 2006 17:18:01 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k91HI115070628;
	Sun, 1 Oct 2006 17:18:01 GMT
	(envelope-from nobody)
Message-Id: <200610011718.k91HI115070628@www.freebsd.org>
Date: Sun, 1 Oct 2006 17:18:01 GMT
From: douglas steinwand <dzs-pr@dzs.fx.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: login(1) SEGFAULT on unsuccessful login
X-Send-Pr-Version: www-2.3

>Number:         103873
>Category:       bin
>Synopsis:       login(1) SEGFAULT on unsuccessful login
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    csjp
>State:          analyzed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 01 17:20:27 GMT 2006
>Closed-Date:    
>Last-Modified:  Fri Oct  6 15:10:24 GMT 2006
>Originator:     douglas steinwand
>Release:        6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD thinkpad.fx.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #4: Sat Sep 30 20:42:55 PDT 2006     root@thinkpad.fx.org:/usr/obj/usr/src/sys/HAWK6  i386
>Description:
It seems that the login_audit.c doesn't check that pwd is non-NULL before dereferencing it. Below is a patch with a possible solution.
>How-To-Repeat:
At the console, press Enter a few times, or run login(1) from a shell. If you do not successfuly login, the application exits and syslog notes something like:

Oct  1 10:08:51 thinkpad kernel: pid 62854 (login), uid 0: exited on signal 11

>Fix:
--- usr.bin/login/login_audit.c.orig    Tue Sep  5 16:53:21 2006
+++ usr.bin/login/login_audit.c Sun Oct  1 09:46:41 2006
@@ -51,6 +51,17 @@
  */
 static au_tid_t tid;
 
+/* returns -1 on failure, 0 on success */
+static int
+get_pwd(uid_t *uid, gid_t *gid)
+{
+       if (pwd == NULL)
+               return(-1);
+       *uid = pwd->pw_uid;
+       *gid = pwd->pw_gid;
+       return(0);
+}
+
 /*
  * The following tokens are included in the audit record for a successful
  * login: header, subject, return.
@@ -62,11 +73,14 @@
        int aufd;
        au_mask_t aumask;
        auditinfo_t auinfo;
-       uid_t uid = pwd->pw_uid;
-       gid_t gid = pwd->pw_gid;
+       uid_t uid;
+       gid_t gid;
        pid_t pid = getpid();
        long au_cond;
 
+       if (get_pwd(&uid, &gid) == -1)
+               return;
+
        /* If we are not auditing, don't cut an audit record; just return. */
        if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
                if (errno == ENOSYS)
@@ -140,8 +154,8 @@
                        errx(1, "login: Audit Error: au_to_subject32() failed");
        } else {
                /* We know the subject -- so use its value instead. */
-               uid = pwd->pw_uid;
-               gid = pwd->pw_gid;
+               if (get_pwd(&uid, &gid) == -1)
+                       errx(1, "login: Audit Error: au_to_subject32() failed");
                if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
                    gid, pid, pid, &tid)) == NULL)
                        errx(1, "login: Audit Error: au_to_subject32() failed");
@@ -172,10 +186,13 @@
        int aufd;
        au_mask_t aumask;
        auditinfo_t auinfo;
-       uid_t uid = pwd->pw_uid;
-       gid_t gid = pwd->pw_gid;
+       uid_t uid;
+       gid_t gid;
        pid_t pid = getpid();
        long au_cond;
+
+       if (get_pwd(&uid, &gid) == -1)
+               return;
 
        /* If we are not auditing, don't cut an audit record; just return. */
        if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->csjp 
Responsible-Changed-By: ru 
Responsible-Changed-When: Sun Oct 1 17:29:34 UTC 2006 
Responsible-Changed-Why:  
Christian did the MFC so he eats all the bugs now.  :-) 

The fix proposed in the PR should be replaced by simply MFCing 
rev. 1.101 to login.c: 

: date: 2006/03/28 15:30:42;  author: cognet;  state: Exp;  lines: +5 -2 
: Don't call audit_logout() if pwd is NULL, as audit_logout() attempts to 
: dereference it. 
: This will happen if we ^D at the Login: prompt without having provided a 
: valid login before. 
: Set pwd to NULL on bad login attempts to prevent audit_logout() from being 
: called for a user which didn't actually log on. 
:  
: Reported by:    Jerome Magnin jethro at docisland dot org 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103873 
State-Changed-From-To: open->analyzed 
State-Changed-By: delphij 
State-Changed-When: Fri Oct 6 15:00:06 UTC 2006 
State-Changed-Why:  
To follow up with the current situation: a MFC is done as 
a "stop gap" in order to make sure that login(1) does not 
crash on unsuccessful logins, but proper audit mechanism 
has to be added in order to provide correct audit information. 

I think this PR can be closed as the problem described in 
the report has been "fix"ed.  However, bump the state to 
analyzed for now, so we get a reminder to really fix the 
underlying issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103873 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/103873: commit references a PR
Date: Fri,  6 Oct 2006 14:58:30 +0000 (UTC)

 delphij     2006-10-06 14:58:17 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     usr.bin/login        login.c 
   Log:
   MFC revision 1.101 (cognet@):
   
   A temporary fix that in case of pwd == NULL, do not call audit_logout()
   which attempts to deference it.  This is not quite correct, as we should
   audit the event even it is not attributable to a specific user.  For now,
   just put the temporary fix in, so login(1) would not get signal 11 upon
   the case that for instance, ^D at the Login: prompt without providing a
   valid login before.i
   
   Approved by:    re (rwatson)
   PR:             bin/103873
   Discussed with: rwatson, csjp
   
   Revision  Changes    Path
   1.99.2.2  +4 -1      src/usr.bin/login/login.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
