Bug#318123: bug analysis & fix

Wed, 21 Dec 2005 17:49:31 -0800 

Package: xlockmore
Version: 5.13-2.1
Followup-For: Bug #318123
Tags: patch

The general design issue here is that xlock (unlike e.g. xscreensaver
which kills the X server along with) gives access to the screen when
it is killed by a signal, i.e. any way to crash it becomes an
authentication bypass right away instead of eventually just a DoS.

In this specific case, the error causing the crash (or abort, with
glibc's malloc checking in unstable) lies in freeing non-allocated
memory.
In xlock/passwd.c/PAM_conv() reply, an array of pam_response
structures, gets malloc()'ed and is unitialized. In the following loop
xlock/xlock.c/PAM_putText() gets called with a pointer to each element
of reply.
In case of PAM_PROMPT_ECHO_ON and PAM_PROMPT_ECHO_OFF message styles
(as used by the "normal" usser/password type pam modules),
PAM_putText() sets the resp member of the reply element to the string
the user entered.
In all other cases, like in the case of the "No smart card present"
message of pam_opensc which is of PAM_TEXT_INFO message style,
PAM_putText() does not touch resp which thus still has its unitialized
random value.
The reply array is returned to the pam layer by PAM_conv(), where all
non-NULL resp members of its entries get free()'d[1].

I've attached a simple patch fixing this specific issue, using
calloc() the reply array entries are always initialized to zero, thus
all resp members are NULL unless actually set to some address later.

elmar

[1] and at least in case of pam_opensc overwritten before that.

-- 

 .'"`.                                                            /"\
| :' :   Elmar Hoffmann <[EMAIL PROTECTED]>    ASCII Ribbon Campaign  \ /
`. `'    GPG key available via pgp.net        against HTML email   X
  `-                                                    & vCards  / \

diff -rNu xlockmore-5.13.orig/xlock/passwd.c xlockmore-5.13/xlock/passwd.c
--- xlockmore-5.13.orig/xlock/passwd.c  2004-06-02 17:34:38.000000000 +0200
+++ xlockmore-5.13/xlock/passwd.c       2005-12-22 02:21:40.000000000 +0100
@@ -296,8 +296,8 @@
 
 #define COPY_STRING(s) (s) ? strdup(s) : NULL
 
-       reply = (struct pam_response *) malloc(sizeof (struct pam_response) *
-                                              num_msg);
+       reply = (struct pam_response *) calloc(num_msg,
+                                              sizeof (struct pam_response));
 
        if (!reply)
                return PAM_CONV_ERR;

Attachment: signature.asc
Description: Digital signature

Reply via email to