Bug#510990: segfault caused by libpam-mount clobbers cron for encrypted home directories

Tue, 06 Jan 2009 06:29:12 -0800 

Package: libpam-mount
Version: 0.44-1+lenny3
Severity: important
Tags: patch


Per cron bug 484122 some (all?) users who are mounting their encrypted home 
directory with libpam-mount have been seeing a constant stream of segfaults 
in cron. Cron has been rendered useless in this environment.

strace and ltrace did not yield any interesting results so I have used gdb 
to localize the problem and propose a solution.

This patch seems to fix the problem for me:

----------------

diff --git a/src/pam_mount.c b/src/pam_mount.c
index 211a996..b86cd05 100644
--- a/src/pam_mount.c
+++ b/src/pam_mount.c
@@ -156,7 +156,7 @@ static int converse(pam_handle_t *pamh, int nargs,
        retval = pam_get_item(pamh, PAM_CONV, static_cast(const void **,
                 static_cast(void *, &conv)));
 
-       if (retval == PAM_SUCCESS) {
+       if (retval == PAM_SUCCESS && *resp != NULL) {
                retval = conv->conv(nargs, message, resp, 
conv->appdata_ptr);
                if (retval != PAM_SUCCESS)
                        l0g("conv->conv(...): %s\n", pam_strerror(pamh, 
retval));

----------------

There is another call to pam_get_item on line 270 of the same file which was 
suggestive of the necessary fix. Not understanding the software fully, I 
made the above minimal change, and it seems to be sufficient, though I 
continue to run with it and test.

This is my first patch submission to Debian, and I am treading in software 
that I do not really understand, so following is a verbose transcript of my 
gdb session:

(gdb) attach 3489
Attaching to process 3489
Reading symbols from /usr/sbin/cron...done.
Reading symbols from /lib/libpam.so.0...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/libselinux.so.1...done.
Loaded symbols for /lib/libselinux.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/i686/cmov/libdl.so.2...done.
Loaded symbols for /lib/i686/cmov/libdl.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i686/cmov/libnss_compat.so.2...done.
Loaded symbols for /lib/i686/cmov/libnss_compat.so.2
Reading symbols from /lib/i686/cmov/libnsl.so.1...done.
Loaded symbols for /lib/i686/cmov/libnsl.so.1
Reading symbols from /lib/i686/cmov/libnss_nis.so.2...done.
Loaded symbols for /lib/i686/cmov/libnss_nis.so.2
Reading symbols from /lib/i686/cmov/libnss_files.so.2...done.
Loaded symbols for /lib/i686/cmov/libnss_files.so.2
0xb7f5e424 in __kernel_vsyscall ()
(gdb) set follow-fork-mode child
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 19892]
0x00000000 in ?? ()
(gdb) 

(gdb) info frame 0
Stack frame at 0xbfba1aa0:
 eip = 0x0; saved eip 0xb7b4cda1
 called by frame at 0xbfba1af0
 Arglist at 0xbfba1a98, args: 
 Locals at 0xbfba1a98, Previous frame's sp is 0xbfba1aa0
 Saved registers:
  eip at 0xbfba1a9c

(gdb) up
#1  0xb7b4cda1 in read_password (pamh=0x8841b00, 
    prompt=0x8846278 "reenter password for pam_mount:", pass=0xbfba1b38)
    at pam_mount.c:160
160                     retval = conv->conv(nargs, message, resp, 
conv->appdata_ptr);

(gdb) up
#2  0xb7b4ddf3 in pam_sm_open_session (pamh=0x8841b00, flags=32768, argc=1, 
    argv=0x8843ce0) at pam_mount.c:511
511                     ret = read_password(pamh, Config.msg_sessionpw, 
&system_authtok);

(gdb) up
#3  0xb7f693c1 in _pam_dispatch (pamh=0x8841b00, flags=32768, choice=4)
    at pam_dispatch.c:108
108                 retval = h->func(pamh, flags, h->argc, h->argv);

(gdb) up
#4  0xb7f6cfeb in pam_open_session (pamh=0x8841be8, flags=32768)
    at pam_session.c:23
23          retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);

(gdb) up
#5  0x0804e848 in child_process (e=0x88418f8, u=0x88418d8) at 
.../do_command.c:228
228             retcode = pam_open_session(pamh, PAM_SILENT);

(gdb) up
#6  0x0804e36d in do_command (e=0x88418f8, u=0x88418d8) at 
.../do_command.c:102
102                     child_process(e, u);

(gdb) up
#7  0x0804e1e3 in job_runqueue () at ../job.c:68
68                      do_command(j->e, j->u);

(gdb) up
#8  0x0804a777 in main (argc=142875624, argv=0x0) at ../cron.c:270
270                     job_runqueue();

(gdb) up
Initial frame selected; you cannot go up.

(gdb) frame 0
#0  0x00000000 in ?? ()

(gdb) up
#1  0xb7b4cda1 in read_password (pamh=0x8841b00, 
    prompt=0x8846278 "reenter password for pam_mount:", pass=0xbfba1b38)
    at pam_mount.c:160
160                     retval = conv->conv(nargs, message, resp, 
conv->appdata_ptr);

(gdb) list
155             *resp = NULL;
156             retval = pam_get_item(pamh, PAM_CONV, static_cast(const void 
**,
157                      static_cast(void *, &conv)));
158
159             if (retval == PAM_SUCCESS) {
160                     retval = conv->conv(nargs, message, resp, 
conv->appdata_ptr);
161                     if (retval != PAM_SUCCESS)
162                             l0g("conv->conv(...): %s\n", 
pam_strerror(pamh, retval));
163             } else {
164                     l0g("pam_get_item: %s\n", pam_strerror(pamh, 
retval));
(gdb) 

(gdb) print *resp
Cannot access memory at address 0x0

(gdb) print resp
$3 = (struct pam_response *) 0x0
(gdb) 

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-mount depends on:
ii  debconf                    1.5.24        Debian configuration management sy
ii  libc6                      2.7-16        GNU C Library: Shared libraries
ii  libhx13                    1.18-1        A library providing queue, tree, I
ii  libpam0g                   1.0.1-4       Pluggable Authentication Modules l
ii  libssl0.9.8                0.9.8g-14     SSL shared libraries
ii  libxml-writer-perl         0.604-1       Perl module for writing XML docume
ii  libxml2                    2.6.32.dfsg-5 GNOME XML library
ii  mount                      2.13.1.1-1    Tools for mounting and manipulatin

libpam-mount recommends no packages.

Versions of packages libpam-mount suggests:
ii  cryptsetup                 2:1.0.6-7     configures encrypted block devices
pn  davfs2                     <none>        (no description available)
ii  fuse-utils                 2.7.4-1.1     Filesystem in USErspace (utilities
ii  lsof                       4.78.dfsg.1-4 List open files
pn  ncpfs                      <none>        (no description available)
ii  openssl                    0.9.8g-14     Secure Socket Layer (SSL) binary a
ii  psmisc                     22.6-1        Utilities that use the proc filesy
pn  smbfs                      <none>        (no description available)
pn  truecrypt-utils            <none>        (no description available)

-- debconf information:
* libpam-mount/convert-xml-config: true

diff --git a/src/pam_mount.c b/src/pam_mount.c
index 211a996..b86cd05 100644
--- a/src/pam_mount.c
+++ b/src/pam_mount.c
@@ -156,7 +156,7 @@ static int converse(pam_handle_t *pamh, int nargs,
 	retval = pam_get_item(pamh, PAM_CONV, static_cast(const void **,
 	         static_cast(void *, &conv)));
 
-	if (retval == PAM_SUCCESS) {
+	if (retval == PAM_SUCCESS && *resp != NULL) {
 		retval = conv->conv(nargs, message, resp, conv->appdata_ptr);
 		if (retval != PAM_SUCCESS)
 			l0g("conv->conv(...): %s\n", pam_strerror(pamh, retval));

Reply via email to