Package: sudo
Version: 1.8.19p1-2.1
Severity: important
Tags: patch
Dear Maintainer,
When sssd is in use, and a configured I/O plugin fails to initialize,
sudo segfaults/dumps core with a use-after-free and/or double-free
violation.
This is caused by sudo_sss_close() being called multiple times (via
various code paths, e.g. sudoers_policy_check -> sudoers_policy_main ->
sudo_sss_close; or policy_check -> sudo_fatalx_nodebug_v1 -> do_cleanup
-> sudoers_cleanup), which frees nss->handle but does not set the
pointer to NULL.
Output is as follows:
$ sudo -i
sudo: error initializing I/O plugin ngcp_plugin
*** Error in `sudo': double free or corruption (!prev):
0x0000560e35fda750 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f1d2fc15bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f1d2fc1bfc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f1d2fc1c80e]
/usr/lib/sudo/sudoers.so(+0x20bcd)[0x7f1d2e090bcd]
/usr/lib/sudo/sudoers.so(+0x1a7f6)[0x7f1d2e08a7f6]
/usr/lib/sudo/libsudo_util.so.0(+0x4e6d)[0x7f1d3014ce6d]
/usr/lib/sudo/libsudo_util.so.0(sudo_fatalx_nodebug_v1+0xa3)[0x7f1d3014d2b3]
sudo(+0x5521)[0x560e345f6521]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f1d2fbc52e1]
sudo(+0x671a)[0x560e345f771a]
Valgrind reports:
# valgrind ./sudo -i
==45182== Memcheck, a memory error detector
==45182== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et
al.
==45182== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for
copyright info
==45182== Command: ./sudo -i
==45182==
sudo: error initializing I/O plugin ngcp_plugin
==45182== Invalid read of size 8
==45182== at 0x6F36BBB: sudo_sss_close (sssd.c:482)
==45182== by 0x6F307F5: sudoers_cleanup (sudoers.c:1193)
==45182== by 0x548FE6C: do_cleanup (fatal.c:61)
==45182== by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86)
==45182== by 0x10D520: policy_check (sudo.c:1333)
==45182== by 0x10D520: main (sudo.c:261)
==45182== Address 0x6328aa0 is 32 bytes inside a block of size 80
free'd
==45182== at 0x4C2CDDB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182== by 0x6F36BCC: sudo_sss_close (sssd.c:483)
==45182== by 0x6F3282A: sudoers_policy_main (sudoers.c:528)
==45182== by 0x6F2B9EE: sudoers_policy_check (policy.c:754)
==45182== by 0x10CED1: policy_check (sudo.c:1337)
==45182== by 0x10CED1: main (sudo.c:261)
==45182== Block was alloc'd at
==45182== at 0x4C2BBAF: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182== by 0x6F36C50: sudo_sss_open (sssd.c:388)
==45182== by 0x6F3108B: sudoers_policy_init (sudoers.c:192)
==45182== by 0x6F2BEC6: sudoers_policy_open (policy.c:679)
==45182== by 0x10D073: policy_open (sudo.c:1283)
==45182== by 0x10D073: main (sudo.c:225)
==45182==
==45182== Invalid read of size 1
==45182== at 0x4015571: _dl_close (dl-close.c:817)
==45182== by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182== by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182== by 0x569FFDE: dlclose (dlclose.c:46)
==45182== by 0x6F36BC3: sudo_sss_close (sssd.c:482)
==45182== by 0x6F307F5: sudoers_cleanup (sudoers.c:1193)
==45182== by 0x548FE6C: do_cleanup (fatal.c:61)
==45182== by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86)
==45182== by 0x10D520: policy_check (sudo.c:1333)
==45182== by 0x10D520: main (sudo.c:261)
==45182== Address 0x6328f54 is 980 bytes inside a block of size 1,209
free'd
==45182== at 0x4C2CDDB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182== by 0x4014D95: _dl_close_worker (dl-close.c:747)
==45182== by 0x401558D: _dl_close (dl-close.c:840)
==45182== by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182== by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182== by 0x569FFDE: dlclose (dlclose.c:46)
==45182== by 0x6F36BC3: sudo_sss_close (sssd.c:482)
==45182== by 0x6F3282A: sudoers_policy_main (sudoers.c:528)
==45182== by 0x6F2B9EE: sudoers_policy_check (policy.c:754)
==45182== by 0x10CED1: policy_check (sudo.c:1337)
==45182== by 0x10CED1: main (sudo.c:261)
==45182== Block was alloc'd at
==45182== at 0x4C2DBC5: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==45182== by 0x400B215: _dl_new_object (dl-object.c:75)
==45182== by 0x400587C: _dl_map_object_from_fd (dl-load.c:1000)
==45182== by 0x400874B: _dl_map_object (dl-load.c:2470)
==45182== by 0x4013B13: dl_open_worker (dl-open.c:237)
==45182== by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182== by 0x4013608: _dl_open (dl-open.c:660)
==45182== by 0x569FEE8: dlopen_doit (dlopen.c:66)
==45182== by 0x400F643: _dl_catch_error (dl-error.c:187)
==45182== by 0x56A0530: _dlerror_run (dlerror.c:163)
==45182== by 0x569FF81: dlopen@@GLIBC_2.2.5 (dlopen.c:87)
==45182== by 0x6F36C6D: sudo_sss_open (sssd.c:395)
==45182==
...
Patch is as follows:
--- sudo-1.8.19p1.orig/plugins/sudoers/sssd.c
+++ sudo-1.8.19p1/plugins/sudoers/sssd.c
@@ -481,6 +481,7 @@ sudo_sss_close(struct sudo_nss *nss)
handle = nss->handle;
sudo_dso_unload(handle->ssslib);
free(nss->handle);
+ nss->handle = NULL;
}
debug_return_int(0);
}
Thanks
-- System Information:
Debian Release: 9.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sudo depends on:
ii libaudit1 1:2.6.7-2
ii libc6 2.24-11+deb9u4
ii libpam-modules 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libselinux1 2.6-3+b3
ii lsb-base 9.20161125
sudo recommends no packages.
sudo suggests no packages.
-- no debconf information
