[hackers] [ubase][PATCH] passwd: fix crashes when authentication is unnecessary.
From: Mario Rugiero When running with root or a password for the user is missing, authentication is bypassed. However, it is later attempted to compare the new password against the missing one, causing crypt to crash due to a null salt. In the case of a missing password, there's no prior password to compare to, so the only choice is to avoid the comparison. In the case of root, reading a password (if present) is possible, to avoid resetting to the same password. However, it seems benign to just let it be to avoid more confusion. Anyway, the fix consists on doing the check only if we got an old password to begin with. --- passwd.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/passwd.c b/passwd.c index 52b70a8..92c59fd 100644 --- a/passwd.c +++ b/passwd.c @@ -235,11 +235,13 @@ newpass: eprintf("getpass:"); if (inpass[0] == '\0') eprintf("no password supplied\n"); - p = crypt(inpass, prevhash); - if (!p) - eprintf("crypt:"); - if (cryptpass1 && strcmp(cryptpass1, p) == 0) - eprintf("password left unchanged\n"); + if (prevhash) { + p = crypt(inpass, prevhash); + if (!p) + eprintf("crypt:"); + if (strcmp(cryptpass1, p) == 0) + eprintf("password left unchanged\n"); + } gensalt(salt + strlen(salt)); p = crypt(inpass, salt); if (!p) -- 2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes for unencrypted passwords starting with 'x'.
From: Mario Rugiero When deciding where the previous hash should come from, is is assumed that 'x' started strings all mean to look in shadow. This is probably harmless in practice, since modern Linux still use only hashes instead of raw passwords. However, this is more robust, and more importantly, it is more consistent with the previous check, which explicitly tests for the string to be "x". --- passwd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/passwd.c b/passwd.c index 92c59fd..53e01e8 100644 --- a/passwd.c +++ b/passwd.c @@ -210,7 +210,8 @@ main(int argc, char *argv[]) if (pw->pw_passwd[0] == '\0') { goto newpass; } - if (pw->pw_passwd[0] == 'x') + if (pw->pw_passwd[0] == 'x' && + pw->pw_passwd[1] == '\0') prevhash = spw->sp_pwdp; else prevhash = pw->pw_passwd; -- 2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes when authentication is unnecessary.
From: Mario Rugiero When running with root or a password for the user is missing, authentication is bypassed. However, it is later attempted to compare the new password against the missing one, causing crypt to crash due to a null salt. In the case of a missing password, there's no prior password to compare to, so the only choice is to avoid the comparison. In the case of root, reading a password (if present) is possible, to avoid resetting to the same password. However, it seems benign to just let it be to avoid more confusion. Anyway, the fix consists on doing the check only if we got an old password to begin with. --- passwd.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/passwd.c b/passwd.c index 52b70a8..0b54537 100644 --- a/passwd.c +++ b/passwd.c @@ -235,11 +235,13 @@ newpass: eprintf("getpass:"); if (inpass[0] == '\0') eprintf("no password supplied\n"); - p = crypt(inpass, prevhash); - if (!p) - eprintf("crypt:"); - if (cryptpass1 && strcmp(cryptpass1, p) == 0) - eprintf("password left unchanged\n"); + if (cryptpass1) { + p = crypt(inpass, prevhash); + if (!p) + eprintf("crypt:"); + if (strcmp(cryptpass1, p) == 0) + eprintf("password left unchanged\n"); + } gensalt(salt + strlen(salt)); p = crypt(inpass, salt); if (!p) -- 2.17.1
[hackers] [ubase][PATCH] passwd: fix crashes for unencrypted passwords starting with 'x'.
From: Mario Rugiero When deciding where the previous hash should come from, is is assumed that 'x' started strings all mean to look in shadow. This is probably harmless in practice, since modern Linux still use only hashes instead of raw passwords. However, this is more robust, and more importantly, it is more consistent with the previous check, which explicitly tests for the string to be "x". --- passwd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/passwd.c b/passwd.c index 0b54537..dca2e58 100644 --- a/passwd.c +++ b/passwd.c @@ -210,7 +210,8 @@ main(int argc, char *argv[]) if (pw->pw_passwd[0] == '\0') { goto newpass; } - if (pw->pw_passwd[0] == 'x') + if (pw->pw_passwd[0] == 'x' && + pw->pw_passwd[0] == '\0') prevhash = spw->sp_pwdp; else prevhash = pw->pw_passwd; -- 2.17.1
[hackers] [dwm][PATCH] Fix use-after-free on cleanup.
From: Mario Rugiero When cleaning up the stack the stack member for the first monitor wasn't being updated to reflect this, with the following (possible) consequences: - An infinite loop. If things wouldn't crash, not updating the guard of the loop would lead to this. - Garbage being read and passed to functions. - A double free on m->stack. --- dwm.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dwm.c b/dwm.c index 4465af1..06720c6 100644 --- a/dwm.c +++ b/dwm.c @@ -472,13 +472,17 @@ cleanup(void) Arg a = {.ui = ~0}; Layout foo = { "", NULL }; Monitor *m; + Client *c; size_t i; view(&a); selmon->lt[selmon->sellt] = &foo; for (m = mons; m; m = m->next) - while (m->stack) + while (m->stack) { + c = m->stack->snext; unmanage(m->stack, 0); + m->stack = c; + } XUngrabKey(dpy, AnyKey, AnyModifier, root); while (mons) cleanupmon(mons); -- 2.17.1
[hackers] [dwm][PATCH] Fail zoom on no selection.
From: Mario Rugiero Continuing on '!selmon->sel' leads to a NULL pointer dereference. Reading the code, it seems it was intended to fail when either there's no selected client or it's running in floating mode. --- dwm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dwm.c b/dwm.c index 06720c6..787f149 100644 --- a/dwm.c +++ b/dwm.c @@ -2120,7 +2120,7 @@ zoom(const Arg *arg) Client *c = selmon->sel; if (!selmon->lt[selmon->sellt]->arrange - || (selmon->sel && selmon->sel->isfloating)) + || !selmon->sel || selmon->sel->isfloating) return; if (c == nexttiled(selmon->clients)) if (!c || !(c = nexttiled(c->next))) -- 2.17.1