#18: pam_unix.so segfaults when SHA_CRYPT_*_ROUNDS is set
---------------------+------------------------------
Reporter: mgorny | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
Gentoo bug report:
https://bugs.gentoo.org/show_bug.cgi?id=484732
pam_unix_acct.c:200 calls:
{{{
ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
}}}
while `_set_ctrl()` writes to `*rounds` unconditionally to whether it is
provided or NULL:
{{{
if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
free (val);
}
}
}}}
This is a regression since 1.1.6. Also, it makes it impossible to login to
the system or e.g. `su`.
I don't know what the preferred fix would be. You could either check for
non-NULL `rounds` or require that `_set_ctrl()` is called with non-NULL
`rounds`.
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/18>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project