| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
When there's a loop of configuration files consisting solely of includes
the recursion depth level is never incremented and thus no upper limit is
enforced. This leads to a crash caused by a stack overflow.
This patch updates the logic to track both the number of includes as well
as the number of substacks we are on; ultimately adding a new parameter
to track this information.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marking the functions _pam_output_debug and _pam_output_debug_info as
potentially unused reduces the noise when compiling in debug mode.
The warning is produced whenever _pam_macros.h is included, but no
debug output is produced by the module. Just marking the function
as static inline, which would have a similar effect, does not work
for various reasons and instead produces new issues instead.
Thus silencing this warning by telling the compiler about our intentions
with these functions is the better approach.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Marking _pam_output_debug as printf-style function allows the compiler to
check for potential errors at places where this function is called, like
mismatches in the argument types or insufficient number of arguments.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
When printing the current day and when the password was last changed,
a truncation of the value could happen due to incorrect data types used
in the format string.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
The value of pp can potentially be NULL. This handles this case when
printing debug output.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
| |
The debug message was placed outside the password length check and thus
if the length check succeeded no message would have been placed.
Comparing this location with other occurrences indicates this was by mistake,
thus the message is now suppressed if there's nothing to print anyway.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the service was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
As the context variables can be NULL at this point, this has to be
reflected when printing them for debug purposes.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the user was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the user was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the service was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
There was a debug message still using %d (int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
As the string to output here is user-controlled this could lead
to format string attacks. Possible impact is at least information
leakage about the program stack.
To avoid this, make the format string fixed and insert the actual
string for output as an argument.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The value returned by the preceeding _pam_dispatch has been limited to
PAM_INCOMPLETE by the point this debug output is generated. Thus there
is no point in repeating it in the message - in fact it was not even
part of the format string before, thus adding it would make no sense.
On the other hand, if there is no place to print the (known) value of
retval here, there's also no point in providing it to the debug output
function either. Thus let's drop it.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the TTY was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Several debug messages were using %u (unsigned int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
Previously, there was a missing argument to the debug output within
_pam_dispatch whe _pam_dispatch_aux returned an error. This updates
the debug message in that situation to include the module name that
was involved with the failure.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
Only allow shells with absolute paths. Also handle line truncations
which could occur with fgets by prefering getline/getdelim.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
If fgets encounters a file with a \0 at the beginning of a line, then
strlen()-1 would turn negative. Check if line has at least one
character in it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
If an executed program prints \0 at the beginning of a line, then
pam_exec triggers an out of boundary read (and possible) write on
the stack.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The module might overflow heap on 32 bit systems if a 4 GB file is
supplied as argument.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
The argument vector for a module is created in _pam_parse_conf_file,
which is performed by _pam_mkargv. If memory allocation fails in
_pam_mkargv, then an empty argv is returned. This has to be checked by
the caller to not silently drop arguments requested by configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
It is possible to trigger a signed integer overflow when parsing
jump numbers for pam return types.
Fail if the number becomes too large.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The first argument of IF_NO_PAMH is supposed to be the name of the
function which was called with pamh being NULL.
With __FUNCTION__ the name can be inserted automatically by the
compiler which is also already done with D macro.
Fixes a bug in which _pam_drop_env erroneously logs with the
function name _pam_make_env.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Reading "other" is not meant as a file, which the debug message might
look like. Copy the same debug message used when opening a module.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The amount of va_start and va_end calls should be identical. Since
va_end is called right after vasprintf, don't call it later again.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If a configuration file contains lines which are longer than 1024
characters, _pam_assemble_line splits them into multiple ones.
This may lead to comments being interpreted as actual configuration
lines.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
An endless loop with fgets can be triggered if exactly one free byte
is left in buffer, because fgets will fill this byte with \0 without
reading any further data from file.
This requires an invalid system configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The debug output of environment variables tries to properly format
pointers in a right-aligned way. 9 characters are not enough for
32 bit pointers though due to prepended 0x. Also, it takes 18 for
64 bit systems.
Adjust the formatter properly for architectures.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
It is possible to trigger an integer overflow in _pam_strdup
if the passed string is longer than INT_MAX, which could lead
to a smaller memory allocation than needed for the strcpy call.
This in turn could lead to a heap overflow.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: check whether close_range() is available in the system.
* libpam/pam_modutil_sanitize.c: use close_range() to close all file
descriptors. If the interface isn't available use the previous
approach.
Link: https://github.com/linux-pam/linux-pam/pull/276
Resolves: https://issues.redhat.com/browse/RHEL-5099
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_putenv and pam_getenv do not properly handle strings which are
longer than 2 GB (INT_MAX).
In pam_putenv the l2eq variable could overflow and turn negative,
leading to out of boundary access (after the fact that signed integer
overflow is undefined behavior).
In pam_getenv a very long string could lead to a small int value
so other environment variables could match.
The easiest fix for both is to use size_t.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change fixes a bug when pwhistory_helper is invoked from
pam_pwhistory with an NULL filename, pwhistory_helper receives a short
circuited argc count of 3, ignoring the rest of the arguments passed
due to filename being NULL. To resolve the issue, an empty string is
passed in case the filename is empty, which is later changed back to
NULL in pwhistory_helper so that it can be passed to opasswd to read
the default opasswd file.
* modules/pam_pwhistory/pam_pwhistory.c (run_save_helper,
run_check_helper): Replace NULL filename argument with an empty string.
* modules/pam_pwhistory/pwhistory_helper.c (main): Replace empty string
filename argument with NULL.
Fixes: 11c35109a67f ("pam_pwhistory: Enable alternate location for password history file (#396)")
Signed-off-by: Dmitry V. Levin <ldv@strace.io>
|
| |
|
|
|
|
| |
Without the change locales are not visible to applications using PAM if
PAM library is installed into a --prefix= different from the default
one.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If pam_succeed_if is used without any options the return value ret will
never be assigned a value. Since the case where the counted number of
options is zero will print 'no condition detected; module succeeded'
set the return value to PAM_SUCCESS.
Reported by Clang analyzer:
pam_succeed_if.c:578:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn]
578 | return ret;
| ^~~~~~~~~~
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An array of strings is allocated (into a pointer) so the single array
element to be allocated is char*.
Since sizeof(char**) should be always equal to sizeof(char*) this caused
no issues so far.
Reported by Clang analyzer:
pam_env.c:391:14: warning: Result of 'malloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'char **' [unix.MallocSizeof]
391 | *lines = malloc((i + 1)* sizeof(char**));
| ^~~~~~ ~~~~~~~~~~~~~~
pam_env.c:401:13: warning: Result of 'realloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'char **' [unix.MallocSizeof]
401 | tmp = realloc(*lines, (++i + 1) * sizeof(char**));
| ^~~~~~~ ~~~~~~~~~~~~~~
|
| |
|
|
|
|
| |
Identifiers staring with an underscores are reserved by the C standard.
Also avoid double underscore, which are reserved by C++, in header file.
|
| |
|
|
| |
Closes: #575
|
| |
|
|
| |
The padding block is only read from via memcpy(3).
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| | |
|
