Review Request 111261: [KDE-Workspace]: Possible NULL ptr. deref. in KDM and KCheckPass
Oswald Buddenhagen
ossi at kde.org
Fri Jun 28 07:20:37 BST 2013
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://git.reviewboard.kde.org/r/111261/#review35196
-----------------------------------------------------------
kcheckpass/checkpass_osfc2passwd.c
<http://git.reviewboard.kde.org/r/111261/#comment25787>
you are inconsistent about the operator placement. above you used qt-style start-of-line, while here it is end-of-line. i don't care too much if it matches the surrounding code in each file respectively.
however, i think i wouldn't wrap any of these statements to start with - they are short enough for my taste (qt has a 100 column soft limit).
kdm/backend/client.c
<http://git.reviewboard.kde.org/r/111261/#comment25786>
i really meant line 543. ;)
just as the code using it, it must be in the else branch of PAM and AIX.
- Oswald Buddenhagen
On June 27, 2013, 6:05 p.m., mancha mancha wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://git.reviewboard.kde.org/r/111261/
> -----------------------------------------------------------
>
> (Updated June 27, 2013, 6:05 p.m.)
>
>
> Review request for kde-workspace.
>
>
> Description
> -------
>
> Background:
> Beginning with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/ NULL return) if the salt violates specifications. Additionally, on FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to crypt() fail with EPERM (w/ NULL return).
>
> Description:
> If KDM uses raw crypt() authentication (or pw_encrypt() on a patched Shadow system; see: https://alioth.debian.org/tracker/index.php?func=detail&aid=314234 ), instead of higher-level authentication such as PAM, and that crypt() can return a NULL pointer (as glibc 2.17+ does when passed a DES/MD5 encrypted passwords on Linux systems in FIPS-140 mode), then attempting to login to such an account via KDM crashes the daemon.
>
> -----
> kdm[1879]: segfault at 0 ip b74a1909 sp bfd209d4 error 4 in libc-2.17.so[b7421000+186000]
> kdm[1841]: Unknown session exit code 0 (sig 11) from manager process
> -----
>
> Likewise, KCheckPass, when called in a similar scenario as KDM above, or when attempting to pass invalid input to crypt()/pw_encrypt() such as a "locked" account that has a "!" prepended in the password field, will crash.
>
> -----
> kcheckpass[1927]: segfault at 0 ip b762b910 sp bffb0494 error 4 in libc-2.17.so[b75ab000+186000]
> -----
>
> Note: an earlier (and buggy) patch was emailed directly to ML (not via RR). Please disregard that submission entirely.
>
>
> Diffs
> -----
>
> kcheckpass/checkpass_etcpasswd.c 1dbe06f
> kcheckpass/checkpass_osfc2passwd.c 9a074f9
> kcheckpass/checkpass_shadow.c ec3a4e0
> kdm/backend/client.c bdff6da
>
> Diff: http://git.reviewboard.kde.org/r/111261/diff/
>
>
> Testing
> -------
>
> Tests conducted on KDE-Workspace 4.10.4 confirm attached patch corrects the issues described above. Before applying the patch, KDM and KCheckPass segfault as shown in log snippets above. After applying the patch, both properly handle NULL returns from crypt() and pw_encrypt().
>
>
> Thanks,
>
> mancha mancha
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20130628/40ed7295/attachment.htm>
More information about the kde-core-devel
mailing list