From nobody@FreeBSD.org  Tue Jan 17 13:03:22 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 437D91065670
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jan 2012 13:03:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 289698FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jan 2012 13:03:22 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q0HD3LRJ068190
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Jan 2012 13:03:21 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q0HD3Lvi068179;
	Tue, 17 Jan 2012 13:03:21 GMT
	(envelope-from nobody)
Message-Id: <201201171303.q0HD3Lvi068179@red.freebsd.org>
Date: Tue, 17 Jan 2012 13:03:21 GMT
From: Alexander Wittig <alexander@wittig.name>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] NULL pointer dereference in setusercontext (libutil)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         164238
>Category:       kern
>Synopsis:       [patch] NULL pointer dereference in setusercontext (libutil)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    eadler
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 17 13:10:08 UTC 2012
>Closed-Date:    Mon Mar 19 02:33:11 UTC 2012
>Last-Modified:  Mon Mar 19 02:33:11 UTC 2012
>Originator:     Alexander Wittig
>Release:        9.0-STABLE
>Organization:
>Environment:
FreeBSD hotzenplotz.wittig.name 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jan 11 22:15:18 CET 2012     root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX  amd64

>Description:
With certain combinations of parameters, it's possible to cause a NULL pointer dereference in setusercontext in libutil.
It's probably not a huge problem, as the parameters have to be somewhat esoteric, but I suppose even when fed bogus parameters, library functions should not segfault. The same problem exists in HEAD.

This was found while poking around in the clang analyzer output at http://scan.freebsd.your.org/freebsd-head/lib.libutil/2012-01-12-amd64/report-NgeNvT.html#EndPath
(but is not the solution to that particular problem which is a false positive).
>How-To-Repeat:
Run this program as non-root with an entry such as
test:\
        :priority=-10:
in login.conf.
The syslog call on line 465 (and similar) of libutil/login_class.c tries to include information on the user name by accessing pwd, even if it's NULL. Since the new login class ("test") priority is less than the default priority, root privileges are required to change it and the setpriority call fails prompting the syslog call.


#include <stdio.h>
#include <sys/types.h>
#include <login_cap.h>
#include <pwd.h>

int main(void)
{
login_cap_t* lc;
struct passwd* pwd;

lc = login_getclass( "test" ); // its priority is -10
pwd = getpwuid(0);

// OK
setusercontext(lc, pwd, 0, LOGIN_SETPRIORITY);
printf("First call was OK\n");

// segfaults
setusercontext(lc, NULL, 0, LOGIN_SETPRIORITY);
printf("Second call not so much\n");
}

>Fix:
The attached patch should fix the problem by printing "-" in the warning message if no pwd entry was passed and setting the priority fails.

Patch attached with submission follows:

--- /usr/src/lib/libutil/login_class.c  2011-09-23 02:51:37.000000000 +0200
+++ login_class.c       2012-01-17 13:50:05.000000000 +0100
@@ -452,18 +452,18 @@
            p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
            if (rtprio(RTP_SET, 0, &rtp))
                syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
-                   pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
+                   pwd ? pwd->pw_name : "-", lc ? lc->lc_class : 
LOGIN_DEFCLASS);
        } else if (p < PRIO_MIN) {
            rtp.type = RTP_PRIO_REALTIME;
            rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
            p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
            if (rtprio(RTP_SET, 0, &rtp))
                syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
-                   pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
+                   pwd ? pwd->pw_name : "-", lc ? lc->lc_class : 
LOGIN_DEFCLASS);
        } else {
            if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
                syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
-                   pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
+                   pwd ? pwd->pw_name : "-", lc ? lc->lc_class : 
LOGIN_DEFCLASS);
        }
     }
 



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Tue Jan 17 13:13:33 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=164238 
State-Changed-From-To: open->patched 
State-Changed-By: eadler 
State-Changed-When: Thu Feb 9 21:07:15 UTC 2012 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=164238 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/164238: commit references a PR
Date: Thu,  9 Feb 2012 21:07:02 +0000 (UTC)

 Author: eadler
 Date: Thu Feb  9 21:06:47 2012
 New Revision: 231306
 URL: http://svn.freebsd.org/changeset/base/231306
 
 Log:
   Fix NULL ptr dereference in setusercontext if pwd is null,
   LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
   setpriority) fails.
   
   PR:		kern/164238
   Submitted by:	Alexander Wittig <alexander@wittig.name>
   Reviewed by:	des
   Approved by:	cperciva
   MFC after:	1 month
 
 Modified:
   head/lib/libutil/login_class.c
 
 Modified: head/lib/libutil/login_class.c
 ==============================================================================
 --- head/lib/libutil/login_class.c	Thu Feb  9 20:57:36 2012	(r231305)
 +++ head/lib/libutil/login_class.c	Thu Feb  9 21:06:47 2012	(r231306)
 @@ -452,18 +452,21 @@ setusercontext(login_cap_t *lc, const st
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else if (p < PRIO_MIN) {
  	    rtp.type = RTP_PRIO_REALTIME;
  	    rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else {
  	    if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
  		syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	}
      }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/164238: commit references a PR
Date: Mon, 19 Mar 2012 01:51:23 +0000 (UTC)

 Author: eadler
 Date: Mon Mar 19 01:51:08 2012
 New Revision: 233152
 URL: http://svn.freebsd.org/changeset/base/233152
 
 Log:
   MFC r231306:
   	Fix NULL ptr dereference in setusercontext if pwd is null,
   	LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
   	setpriority) fails.
   
   PR:		kern/164238
   Approved by:	cperciva
 
 Modified:
   stable/9/lib/libutil/login_class.c
 Directory Properties:
   stable/9/lib/libutil/   (props changed)
 
 Modified: stable/9/lib/libutil/login_class.c
 ==============================================================================
 --- stable/9/lib/libutil/login_class.c	Mon Mar 19 01:33:24 2012	(r233151)
 +++ stable/9/lib/libutil/login_class.c	Mon Mar 19 01:51:08 2012	(r233152)
 @@ -452,18 +452,21 @@ setusercontext(login_cap_t *lc, const st
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else if (p < PRIO_MIN) {
  	    rtp.type = RTP_PRIO_REALTIME;
  	    rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else {
  	    if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
  		syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	}
      }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/164238: commit references a PR
Date: Mon, 19 Mar 2012 01:52:02 +0000 (UTC)

 Author: eadler
 Date: Mon Mar 19 01:51:53 2012
 New Revision: 233153
 URL: http://svn.freebsd.org/changeset/base/233153
 
 Log:
   MFC r231306:
   	Fix NULL ptr dereference in setusercontext if pwd is null,
   	LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
   	setpriority) fails.
   
   PR:		kern/164238
   Approved by:	cperciva
 
 Modified:
   stable/8/lib/libutil/login_class.c
 Directory Properties:
   stable/8/lib/libutil/   (props changed)
 
 Modified: stable/8/lib/libutil/login_class.c
 ==============================================================================
 --- stable/8/lib/libutil/login_class.c	Mon Mar 19 01:51:08 2012	(r233152)
 +++ stable/8/lib/libutil/login_class.c	Mon Mar 19 01:51:53 2012	(r233153)
 @@ -450,18 +450,21 @@ setusercontext(login_cap_t *lc, const st
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else if (p < PRIO_MIN) {
  	    rtp.type = RTP_PRIO_REALTIME;
  	    rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else {
  	    if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
  		syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	}
      }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/164238: commit references a PR
Date: Mon, 19 Mar 2012 01:52:33 +0000 (UTC)

 Author: eadler
 Date: Mon Mar 19 01:52:09 2012
 New Revision: 233154
 URL: http://svn.freebsd.org/changeset/base/233154
 
 Log:
   MFC r231306:
   	Fix NULL ptr dereference in setusercontext if pwd is null,
   	LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
   	setpriority) fails.
   
   PR:		kern/164238
   Approved by:	cperciva
 
 Modified:
   stable/7/lib/libutil/login_class.c
 Directory Properties:
   stable/7/lib/libutil/   (props changed)
 
 Modified: stable/7/lib/libutil/login_class.c
 ==============================================================================
 --- stable/7/lib/libutil/login_class.c	Mon Mar 19 01:51:53 2012	(r233153)
 +++ stable/7/lib/libutil/login_class.c	Mon Mar 19 01:52:09 2012	(r233154)
 @@ -448,18 +448,21 @@ setusercontext(login_cap_t *lc, const st
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else if (p < PRIO_MIN) {
  	    rtp.type = RTP_PRIO_REALTIME;
  	    rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
  	    p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
  	    if (rtprio(RTP_SET, 0, &rtp))
  		syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	} else {
  	    if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
  		syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
 -		    pwd->pw_name, lc ? lc->lc_class : LOGIN_DEFCLASS);
 +		    pwd ? pwd->pw_name : "-",
 +		    lc ? lc->lc_class : LOGIN_DEFCLASS);
  	}
      }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Mon Mar 19 02:33:08 UTC 2012 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=164238 
>Unformatted:
