From stolz@i2.informatik.rwth-aachen.de  Sun May  6 06:07:21 2001
Return-Path: <stolz@i2.informatik.rwth-aachen.de>
Received: from mailout00.sul.t-online.com (mailout00.sul.t-online.com [194.25.134.16])
	by hub.freebsd.org (Postfix) with ESMTP id 809D537B423
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 May 2001 06:07:20 -0700 (PDT)
	(envelope-from stolz@i2.informatik.rwth-aachen.de)
Received: from fwd02.sul.t-online.com 
	by mailout00.sul.t-online.com with smtp 
	id 14wOFq-00016O-09; Sun, 06 May 2001 15:07:18 +0200
Received: from theater.dyndns.org (320068889749-0001@[62.226.0.12]) by fmrl02.sul.t-online.com
	with esmtp id 14wOG4-0r1xmiC; Sun, 6 May 2001 15:07:32 +0200
Received: from monster.ikea.net (monster.ikea.net [192.168.2.3])
	by theater.dyndns.org (8.11.3/8.11.3) with ESMTP id f46D7H449192
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 6 May 2001 15:07:18 +0200 (CEST)
	(envelope-from stolz@i2.informatik.rwth-aachen.de)
Received: (from vs@localhost)
	by monster.ikea.net (8.11.3/8.11.1) id f46D8WL22692;
	Sun, 6 May 2001 15:08:32 +0200 (CEST)
	(envelope-from vs)
Message-Id: <200105061308.f46D8WL22692@monster.ikea.net>
Date: Sun, 6 May 2001 15:08:32 +0200 (CEST)
From: stolz@i2.informatik.rwth-aachen.de (Volker Stolz)
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: login(1) accesses pam_getenvlist() *after* pam_end()
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27154
>Category:       bin
>Synopsis:       login(1) accesses pam_getenvlist() *after* pam_end()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 06 06:10:01 PDT 2001
>Closed-Date:    Tue Aug 7 02:04:14 PDT 2001
>Last-Modified:  Tue Aug 07 02:06:01 PDT 2001
>Originator:     Volker Stolz
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD monster.ikea.net 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 6 11:38:07 CEST 2001 root@monster.ikea.net:/opt/src/sys/compile/MONOMO i386


>Description:
login(1) will call pam_end() before accessing the data obtained by
pam_getenvlist(), thus accessing stale data and free() will start complaining.
Of course the area used for storing the data has been invalidated before, as
pam_close() cleans up after itself :/

However, this seems to have gone unnoted as nobody was passing on any
changes in the environment.

>How-To-Repeat:
Install /usr/ports/security/pam_ssh,
make corresponding adjustings to /etc/pam.conf, login:
login will succeed, but you will get a warning:
login in free(): warning: junk pointer, too high to make sense.
SSH-variables will remain unset.

>Fix:
*shrug* Im currently wibbling around in login.c, patch might follow.
Obviously you have to copy the environment before pam_end()...
pam_misc_copy_env() and pam_misc_drop_env() should help, too.
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.2

>Release-Note:
>Audit-Trail:

From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
To: freebsd-gnats-submit@FreeBSD.org
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: bin/27154: login(1) accesses pam_getenvlist() *after* pam_end()
Date: Wed, 9 May 2001 18:38:06 +0200

 This is fixed in the patch for PR bin/27153.
 -- 
 Abstrakte Syntaxtrume.
 Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME

From: Volker Stolz <stolz@hyperion.informatik.rwth-aachen.de>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/27154
Date: Tue, 24 Jul 2001 10:34:08 +0200

 --OgqxwSJOaUobr8KG
 Content-Type: text/plain; charset=iso-8859-1
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 This PR can be closed
 
 Resolved by bin/27153.
 --=20
 Abstrakte Syntaxtr=E4ume.
 Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
 
 --OgqxwSJOaUobr8KG
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.4 (SunOS)
 Comment: For info see http://www.gnupg.org
 
 iQCVAwUBO10y/xLpPok/0ba1AQG2kAP+OsAaGAXpwT+NTLKbX8iO2in9CN7mfJBD
 VIgg/xdwBSQ59Gk6xYpLS/a7fjToaf1oEbCrr0wDq3YfTgq0inapKXarJxc9HfbG
 wKXX7gpfXx4rw3UUGD+oZxfbihSZ/h2O83FHedn7ZoJnZlb1HoQ7WIjZSMWQ8B7j
 Gu6FA3f8iJA=
 =+gMP
 -----END PGP SIGNATURE-----
 
 --OgqxwSJOaUobr8KG--
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Tue Aug 7 02:04:14 PDT 2001 
State-Changed-Why:  
Resolved by PR bin/27153. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27154 
>Unformatted:
