From nobody@FreeBSD.org  Tue May 15 23:03:49 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4EBE016A403
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 May 2007 23:03:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 40A5513C455
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 May 2007 23:03:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4FN3nPD014167
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 15 May 2007 23:03:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4FMwlvY013857;
	Tue, 15 May 2007 22:58:47 GMT
	(envelope-from nobody)
Message-Id: <200705152258.l4FMwlvY013857@www.freebsd.org>
Date: Tue, 15 May 2007 22:58:47 GMT
From: Chris Cowart<ccowart@rescomp.berkeley.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: segfault in pam_lastlog on sshd exit when no pty allocated
X-Send-Pr-Version: www-3.0

>Number:         112694
>Category:       bin
>Synopsis:       [patch] segfault in pam_lastlog(8) on sshd exit when no pty allocated
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 15 23:10:06 GMT 2007
>Closed-Date:    Fri Mar 15 23:41:53 UTC 2013
>Last-Modified:  Fri Mar 15 23:41:53 UTC 2013
>Originator:     Chris Cowart
>Release:        6_1_RELEASE
>Organization:
RSSP-IT, UC Berkeley
>Environment:
FreeBSD mug.rescomp.berkeley.edu 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 21 23:35:28 PDT 2006     root@mug.rescomp.berkeley.edu:/usr/obj/usr/src/sys/NEWMUG0  i386
>Description:
When I ssh into FreeBSD hosts without allocating a tty, sshd segfaults
after the process terminates. This problem occurs on both 6_1_REL and
6_2_REL installations at all sorts of patch levels.

Examples:

Client: `ssh -t server ls`
Server Logs: 
| May  9 15:33:44 server sshd[1503]: Accepted publickey for ccowart from 
|     client port 43604 ssh2
| May  9 15:33:45 server sshd[1505]: pam_sm_close_session(): no utmp 
|     record for ttyp5

Client: `ssh server ls`
Server Logs:
| May  9 15:33:50 server sshd[1509]: Accepted publickey for ccowart from
|   client port 42119 ssh2
| May  9 15:33:51 server pid 1511 (sshd), uid 1225: exited on signal 11

In either example, the client thinks the command has completed
successfully, shows proper output, and propogates the return value from
the remote command. The main problem is I don't like seeing a bunch of
segfaults being logged in the daily run output.


>How-To-Repeat:
Uncommenting one rule at a time in my pam stack, I discovered the
culprit: pam_lastlog

The session section of my system pam configuration looks like this:

| # session
| session     required    pam_lastlog.so      no_fail
| session     optional    /usr/local/lib/pam_ldap.so no_warn

When I comment out the pam_lastlog, the segfaults vanish.

When I change the entire pam stack to pam_permit, with the exception of
pam_lastlog, the segfaults still occur.
>Fix:
No known solution.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu May 24 00:42:42 UTC 2007 
Responsible-Changed-Why:  
This does not sound i386-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 
Responsible-Changed-From-To: freebsd-bugs->rafan 
Responsible-Changed-By: rafan 
Responsible-Changed-When: Sun Apr 13 09:22:25 UTC 2008 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 
Responsible-Changed-From-To: rafan->freebsd-bugs 
Responsible-Changed-By: rafan 
Responsible-Changed-When: Sun Apr 13 12:55:22 UTC 2008 
Responsible-Changed-Why:  
I took the wrong. back to pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: ccowart@rescomp.berkeley.edu
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/112694: segfault in pam_lastlog(8) on sshd exit when no
	pty allocated
Date: Sun, 13 Apr 2008 18:19:55 +0300

 Hi,
 
 I can't reproduce this on 7.0-RELEASE. I think that this might have been
 fixed in src/lib/libpam/modules/pam_lastlog/pam_lastlog.c revision 1.23
 (MFCd to RELENG_6 also). Can you confirm?
 
 -- 
 Jaakko
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Tue Apr 15 09:09:49 UTC 2008 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 

From: Christopher Cowart <ccowart@rescomp.berkeley.edu>
To: Jaakko Heinonen <jh@saunalahti.fi>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/112694: segfault in pam_lastlog(8) on sshd exit when no
	pty allocated
Date: Tue, 15 Apr 2008 10:25:38 -0700

 --17pEHd4RhPHOinZp
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Jaakko Heinonen wrote:
 > I can't reproduce this on 7.0-RELEASE. I think that this might have been
 > fixed in src/lib/libpam/modules/pam_lastlog/pam_lastlog.c revision 1.23
 > (MFCd to RELENG_6 also). Can you confirm?
 
 We removed lastlog from sshd and added it to login. After doing so, it
 behaved as we expected. I think when we run it both via the sshd and
 login stacks, it gets executed twice for logouts. If your testing shows
 no segfaults in that situation, I'm content that the problem is solved.
 
 Thanks,
 
 --=20
 Chris Cowart
 Network Technical Lead
 Network & Infrastructure Services, RSSP-IT
 UC Berkeley
 
 --17pEHd4RhPHOinZp
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.4 (FreeBSD)
 
 iQIVAwUBSATlEiPHEDszU3zYAQL4hg/9GDSe9/yLxgXzO5DtmbNjNNRfctlXr5ps
 zlifury2xWQ1i81qh9wCUSiGTQJMkdRVrctyf//SfbyPswY3pYlY1eBp2YoF7hRv
 Uyr/Qr/nIyfm27SDESzo08gXpZh/ehtQMZzyOwWrEeW5CMpBUoLCwPuWHKmGXTWG
 xmms6fmBd1jC4L2RlBmgQbk3YlTvNXw5gzEKfDfV1Z72q4wMBv+HnKPDGNcM4wPJ
 P/XqRgzVDhmytNe99db7GjjOdG0U9B6ehIFDgExtNqOWLAqqtEQtLJsRJtpLWFuk
 rre8ft4zPhuzJZoN0ZGk0iJEtMHzm+QJIs5djjhg179cqnPCGd8qB0sN/vPrEMz1
 w3r6B4kXaPyXQfQX4mC3zX5VHaP4j8F6uh+OtrhNln0+rTCOWJWehWRI6AqchtN3
 PlKzYIloWdO/XfDZv+vI7Jj2q8lNPTXXD1YOiOuYwECtsu3zi316fov9Gwk5buNW
 jX6toXBAJQ6P6y8wVMk/IAxE+ycPYruupLYL9A4OO/Ke6/aHhYyWVrcBc4r6CWh8
 f5jNCNrflc/q6x2NODzUnb93iaVZFkBApiYFB/B+wqgW4D5NBNfZ8TGBlhfTN2PO
 tIkrSUnzYfS6uumQsvjWkMhD6xAVMUmjLjMe34ajRynKbujmbRwehLITzMUcWJnc
 1MY4iT4Mw/E=
 =le+A
 -----END PGP SIGNATURE-----
 
 --17pEHd4RhPHOinZp--

From: Jaakko Heinonen <jh@saunalahti.fi>
To: Christopher Cowart <ccowart@rescomp.berkeley.edu>,
        bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112694: segfault in pam_lastlog(8) on sshd exit when no
	pty allocated
Date: Wed, 16 Apr 2008 13:25:48 +0300

 --qMm9M+Fa2AknHoGS
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Hi,
 
 On 2008-04-15, Christopher Cowart wrote:
 > I think when we run it both via the sshd and login stacks, it gets
 > executed twice for logouts. If your testing shows no segfaults in that
 > situation, I'm content that the problem is solved.
 
 Thanks for the information. The bug is still there. I can reproduce it
 now if I configure pam this way.
 
 revision 1.23 (src/lib/libpam/modules/pam_lastlog/pam_lastlog.c)
 commit message:
 
 Apply the same error checks to PAM_TTY in pam_sm_close_session() as in
 pam_sm_open_session(), avoiding false negatives when no tty is present.
 
 
 However the commit failed to add a check for NULL tty name (the check is
 present in pam_sm_open_session()). Attached patch should fix the
 problem.
 
 -- 
 Jaakko
 
 --qMm9M+Fa2AknHoGS
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="pam_lastlog-segfault.diff"
 
 Index: pam_lastlog.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libpam/modules/pam_lastlog/pam_lastlog.c,v
 retrieving revision 1.23
 diff -p -u -r1.23 pam_lastlog.c
 --- pam_lastlog.c	22 Jul 2007 15:17:29 -0000	1.23
 +++ pam_lastlog.c	16 Apr 2008 09:08:49 -0000
 @@ -183,6 +183,10 @@ pam_sm_close_session(pam_handle_t *pamh 
  	pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
  	if (pam_err != PAM_SUCCESS)
  		goto err;
 +	if (tty == NULL) {
 +		pam_err = PAM_SERVICE_ERR;
 +		goto err;
 +	}
  	if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
  		tty = (const char *)tty + strlen(_PATH_DEV);
  	if (*(const char *)tty == '\0')
 
 --qMm9M+Fa2AknHoGS--
State-Changed-From-To: feedback->analyzed 
State-Changed-By: linimon 
State-Changed-When: Wed Apr 16 14:36:32 UTC 2008 
State-Changed-Why:  
Jaakko Heinonen has provided a patch in a followup. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 
State-Changed-From-To: analyzed->patched 
State-Changed-By: jon 
State-Changed-When: Sun Aug 30 18:36:19 UTC 2009 
State-Changed-Why:  
Patched, will MFC after 8.0. 



Responsible-Changed-From-To: freebsd-bugs->jon 
Responsible-Changed-By: jon 
Responsible-Changed-When: Sun Aug 30 18:36:19 UTC 2009 
Responsible-Changed-Why:  
Patched, will MFC after 8.0. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Fri Mar 15 23:41:52 UTC 2013 
State-Changed-Why:  
MFCed/fixed by now or it will never be MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112694 
>Unformatted:
