[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3388) Seg11 when used with pam_ldap under dtlogin



Full_Name: Joel Boutros
Version: 2.2.18
OS: Solaris8
URL: 
Submission from: (NULL) (206.54.51.125)


I have reproduced this problem with 2.2.18, 2.2.17, and 2.0.107(?).

I'm using pam_ldap 1.76, linked against the static version of OpenLDAP 2.2.18,
on Solaris8 (also happens with dynamicly linked version, but my version of gdb
can't get symbols out of liblber, so i switched to static).  I am getting
crashes under dtlogin.  The call-stack (as far as OpenLDAP sees) is as follows
(some strings have been replaced by XXX for security reasons.  the addresses
remain the same):

Program received signal SIGSEGV, Segmentation fault.
0xfeda0620 in memcpy () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1
(gdb) bt
#0  0xfeda0620 in memcpy () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1
#1  0xfdf2b4b8 in ber_write (ber=0xfe122d98, buf=0xffbee4b3 "\002", len=1, 
    nosos=0) at io.c:97
#2  0xfdf29f8c in ber_put_tag (ber=0xfe122d98, tag=0, nosos=0) at encode.c:97
#3  0xfdf2a1dc in ber_put_int_or_enum (ber=0xfe122d98, num=1, tag=2)
    at encode.c:225
#4  0xfdf2b050 in ber_printf (ber=0xfe122d98, fmt=0xfdfcbb81 "it{seeiib")
    at encode.c:723
#5  0xfdf31c98 in ldap_build_search_req (ld=0x619a8, 
    base=0x5f8c8 "CN=XXX,DC=XXX,DC=com", scope=2, 
    filter=0xffbeebb0
"(&(objectclass=User)(objectclass=User)(sAMAccountName=XXX))", attrs=0x0,
attrsonly=0, sctrls=0x0, cctrls=0x0, timelimit=-1, 
    sizelimit=-1, idp=0x2) at search.c:278
#6  0xfdf31ba8 in ldap_search (ld=0x619a8, 
    base=0x5f8c8 "CN=XXX,DC=XXX,DC=com", scope=2, 
    filter=0xffbeebb0
"(&(objectclass=User)(objectclass=User)(sAMAccountName=XXX))", attrs=0x0,
attrsonly=0) at search.c:192
#7  0xfdf31e38 in ldap_search_s (ld=0x619a8, 
    base=0x5f8c8 "CN=XXX,DC=XXX,DC=com", scope=2, 
    filter=0xffbeebb0
"(&(objectclass=User)(objectclass=User)(sAMAccountName=XXX))", attrs=0x0,
attrsonly=0, res=0xffbee798) at search.c:360
#8  0xfdf253dc in _get_user_info (session=0xfe212950, user=0xfe302ba0 "XXX")
    at pam_ldap.c:2476
#9  0xfdf25ac4 in _do_authentication (pamh=0x52a58, session=0xfe212950, 
    user=0xfe302ba0 "XXX", password=0xfe302bd8 "XXX") at pam_ldap.c:2768
#10 0xfdf26488 in pam_sm_authenticate (pamh=0x52a58, flags=0, argc=0, argv=0x0)
    at pam_ldap.c:3203
...
(gdb) fr 1
#1  0xfdf2b4b8 in ber_write (ber=0xfe122d98, buf=0xffbee4b3 "\002", len=1, 
    nosos=0) at io.c:97
97                      AC_MEMCPY( ber->ber_sos->sos_ptr, buf, (size_t)len );
(gdb) p *ber
$1 = {ber_opts = {lbo_valid = 2, lbo_options = 1, lbo_debug = 0, 
    lbo_meminuse = 0}, ber_tag = 4294967295, ber_len = 0, ber_usertag = 0, 
  ber_buf = 0xfe122d98 "", ber_ptr = 0x0, 
  ber_end = 0x30 <Address 0x30 out of bounds>, ber_sos = 0xfe122db0, 
  ber_rwptr = 0x6 <Address 0x6 out of bounds>, ber_memctx = 0x0}
(gdb) p *ber->ber_sos
$2 = {sos_ber = 0xfe122d98, sos_clen = 0, sos_tag = 48, 
  sos_first = 0xfe122db0 "?\022-\230", 
  sos_ptr = 0x6 <Address 0x6 out of bounds>, sos_next = 0x0}

>From what I can tell, it looks like when ber is allocated in
ldap_build_search_req, it is zeroed out (calloc()), but then ber->ber_ptr is
reset, and at openldap-2.2.18/libraries/liblber/encode.c:465, it uses
new->sos_first (which is derived from ber->ber_ptr) in some pointer arithmetic,
producing 0x06 as a result (new->sos_ptr = NULL + ber_calc_taglen(tag) + 5). 
Then new->sos_ptr is later used in a memcpy(), causing the crash.

Interestingly enough, I'm not seeing problems like this under other pam-enabled
applications.  But, it looks like the behavior is the same in both cases -- it
is always dereferencing this pointer.  So it seems like dtlogin's environment is
helping to expose a latent problem?

Any ideas how to fix this?  I can't figure out how ber->ber_ptr should be at
initialized.  I tried setting it to ber->ber_val, but it crashes in other ways
later, so that wasn't right...

If you need any further data, please let me know.

Thanks!

- joel