Package: sudo Version: 1.8.19p1-2.1 Severity: important Tags: patch Dear Maintainer,
When sssd is in use, and a configured I/O plugin fails to initialize, sudo segfaults/dumps core with a use-after-free and/or double-free violation. This is caused by sudo_sss_close() being called multiple times (via various code paths, e.g. sudoers_policy_check -> sudoers_policy_main -> sudo_sss_close; or policy_check -> sudo_fatalx_nodebug_v1 -> do_cleanup -> sudoers_cleanup), which frees nss->handle but does not set the pointer to NULL. Output is as follows: $ sudo -i sudo: error initializing I/O plugin ngcp_plugin *** Error in `sudo': double free or corruption (!prev): 0x0000560e35fda750 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f1d2fc15bfb] /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f1d2fc1bfc6] /lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f1d2fc1c80e] /usr/lib/sudo/sudoers.so(+0x20bcd)[0x7f1d2e090bcd] /usr/lib/sudo/sudoers.so(+0x1a7f6)[0x7f1d2e08a7f6] /usr/lib/sudo/libsudo_util.so.0(+0x4e6d)[0x7f1d3014ce6d] /usr/lib/sudo/libsudo_util.so.0(sudo_fatalx_nodebug_v1+0xa3)[0x7f1d3014d2b3] sudo(+0x5521)[0x560e345f6521] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f1d2fbc52e1] sudo(+0x671a)[0x560e345f771a] Valgrind reports: # valgrind ./sudo -i ==45182== Memcheck, a memory error detector ==45182== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==45182== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==45182== Command: ./sudo -i ==45182== sudo: error initializing I/O plugin ngcp_plugin ==45182== Invalid read of size 8 ==45182== at 0x6F36BBB: sudo_sss_close (sssd.c:482) ==45182== by 0x6F307F5: sudoers_cleanup (sudoers.c:1193) ==45182== by 0x548FE6C: do_cleanup (fatal.c:61) ==45182== by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86) ==45182== by 0x10D520: policy_check (sudo.c:1333) ==45182== by 0x10D520: main (sudo.c:261) ==45182== Address 0x6328aa0 is 32 bytes inside a block of size 80 free'd ==45182== at 0x4C2CDDB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182== by 0x6F36BCC: sudo_sss_close (sssd.c:483) ==45182== by 0x6F3282A: sudoers_policy_main (sudoers.c:528) ==45182== by 0x6F2B9EE: sudoers_policy_check (policy.c:754) ==45182== by 0x10CED1: policy_check (sudo.c:1337) ==45182== by 0x10CED1: main (sudo.c:261) ==45182== Block was alloc'd at ==45182== at 0x4C2BBAF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182== by 0x6F36C50: sudo_sss_open (sssd.c:388) ==45182== by 0x6F3108B: sudoers_policy_init (sudoers.c:192) ==45182== by 0x6F2BEC6: sudoers_policy_open (policy.c:679) ==45182== by 0x10D073: policy_open (sudo.c:1283) ==45182== by 0x10D073: main (sudo.c:225) ==45182== ==45182== Invalid read of size 1 ==45182== at 0x4015571: _dl_close (dl-close.c:817) ==45182== by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182== by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182== by 0x569FFDE: dlclose (dlclose.c:46) ==45182== by 0x6F36BC3: sudo_sss_close (sssd.c:482) ==45182== by 0x6F307F5: sudoers_cleanup (sudoers.c:1193) ==45182== by 0x548FE6C: do_cleanup (fatal.c:61) ==45182== by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86) ==45182== by 0x10D520: policy_check (sudo.c:1333) ==45182== by 0x10D520: main (sudo.c:261) ==45182== Address 0x6328f54 is 980 bytes inside a block of size 1,209 free'd ==45182== at 0x4C2CDDB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182== by 0x4014D95: _dl_close_worker (dl-close.c:747) ==45182== by 0x401558D: _dl_close (dl-close.c:840) ==45182== by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182== by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182== by 0x569FFDE: dlclose (dlclose.c:46) ==45182== by 0x6F36BC3: sudo_sss_close (sssd.c:482) ==45182== by 0x6F3282A: sudoers_policy_main (sudoers.c:528) ==45182== by 0x6F2B9EE: sudoers_policy_check (policy.c:754) ==45182== by 0x10CED1: policy_check (sudo.c:1337) ==45182== by 0x10CED1: main (sudo.c:261) ==45182== Block was alloc'd at ==45182== at 0x4C2DBC5: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182== by 0x400B215: _dl_new_object (dl-object.c:75) ==45182== by 0x400587C: _dl_map_object_from_fd (dl-load.c:1000) ==45182== by 0x400874B: _dl_map_object (dl-load.c:2470) ==45182== by 0x4013B13: dl_open_worker (dl-open.c:237) ==45182== by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182== by 0x4013608: _dl_open (dl-open.c:660) ==45182== by 0x569FEE8: dlopen_doit (dlopen.c:66) ==45182== by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182== by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182== by 0x569FF81: dlopen@@GLIBC_2.2.5 (dlopen.c:87) ==45182== by 0x6F36C6D: sudo_sss_open (sssd.c:395) ==45182== ... Patch is as follows: --- sudo-1.8.19p1.orig/plugins/sudoers/sssd.c +++ sudo-1.8.19p1/plugins/sudoers/sssd.c @@ -481,6 +481,7 @@ sudo_sss_close(struct sudo_nss *nss) handle = nss->handle; sudo_dso_unload(handle->ssslib); free(nss->handle); + nss->handle = NULL; } debug_return_int(0); } Thanks -- System Information: Debian Release: 9.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sudo depends on: ii libaudit1 1:2.6.7-2 ii libc6 2.24-11+deb9u4 ii libpam-modules 1.1.8-3.6 ii libpam0g 1.1.8-3.6 ii libselinux1 2.6-3+b3 ii lsb-base 9.20161125 sudo recommends no packages. sudo suggests no packages. -- no debconf information