Skip to content

src/sulogin.c: Free previously allocated memory #908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hallyn merged 1 commit into from
Jan 22, 2024
Merged

src/sulogin.c: Free previously allocated memory #908

hallyn merged 1 commit into from
Jan 22, 2024

Conversation

@ferivoz
Copy link
Contributor

@ferivoz ferivoz commented Jan 17, 2024

The sulogin program calls pw_entry in a loop while incorrect root passwords are entered.

Free the previously allocated memory to avoid memory exhaustion.

Proof of Concept (compile with -fsanitize=address):

Run sulogin and enter wrong root passwords multiple times. Then press CTRL+D. You can see as many direct leaks as wrong passwords have been entered.

@ferivoz
Copy link
Contributor Author

ferivoz commented Jan 17, 2024

It would be nice if pw_entry could be moved into sulogin.c because no other program uses it. Also, sulogin.c could be refactored to remove its global variables.

Is there interest in this for another pull request?

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jan 17, 2024 

Reviewed-by: Alejandro Colomar <alx@kernel.org>

alejandro-colomar
alejandro-colomar reviewed Jan 17, 2024
View reviewed changes
@hallyn
Copy link
Member

hallyn commented Jan 17, 2024

It would be nice if pw_entry could be moved into sulogin.c because no other program uses it.

That would be good to do if we're doing this patch, because here we are depending
on the pwent being zeroed out at the start, else we'll start freeing random values.
So best not to make it seem like "just anyone" can use it.

Alternatively, we could introduce a pw_init() function which zeroes the pwent at the
top of the loop.

Also, sulogin.c could be refactored to remove its global variables.

This patch is depending on pwent being in BSS so it starts out zeroed. So don't just
move its definition into main or into the while loop without accounting for that.

Anyway, I'll note that while this 'out of memory' is not a security issue (since this
is only in sulogin, not in general library code), risking freeing uninitialized memory
is. So let's be careful with this. We've had unexpected side effects in the past from
over-zealous attempts at freeing memory in programs where it just didn't matter.

alejandro-colomar added a commit to alejandro-colomar/shadow that referenced this pull request Jan 17, 2024
@alejandro-colomar
lib/, src/, po/: pw_entry(): Move function to src/sulogin.c
a59d916 
That's the only file where it's called, and it's a delicate function.
Reduce the chances that other files call it.

Link: <shadow-maint#908>
Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar alejandro-colomar mentioned this pull request Jan 17, 2024
Merged
alejandro-colomar added a commit to alejandro-colomar/shadow that referenced this pull request Jan 17, 2024
@alejandro-colomar
lib/, src/, po/: pw_entry(): Move function to src/sulogin.c
d8be2c7 
That's the only file where it's called, and it's a delicate function.
Reduce the chances that other files call it.

Link: <shadow-maint#908>
Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
alejandro-colomar added a commit to alejandro-colomar/shadow that referenced this pull request Jan 17, 2024
@alejandro-colomar
lib/, src/, po/: pw_entry(): Move function to src/sulogin.c
d6b1dc5 
That's the only file where it's called, and it's a delicate function.
Reduce the chances that other files call it.

Link: <shadow-maint#908>
Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
hallyn pushed a commit that referenced this pull request Jan 18, 2024
@alejandro-colomar @hallyn
lib/, src/, po/: pw_entry(): Move function to src/sulogin.c
8679878 
That's the only file where it's called, and it's a delicate function.
Reduce the chances that other files call it.

Link: <#908>
Suggested-by: Samanta Navarro <ferivoz@riseup.net>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@ferivoz ferivoz changed the title lib/entry.c: Free previously allocated memory src/sulogin.c: Free previously allocated memory Jan 18, 2024
@ferivoz
Copy link
Contributor Author

ferivoz commented Jan 18, 2024

Rebased on current master. Thank you for refactoring the mentioned parts @alejandro-colomar!

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jan 18, 2024

Thank you!

Signed-off-by: Alejandro Colomar <alx@kernel.org>

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jan 21, 2024

Oh, you should probably keep the Co-authored-by (or Co-developed-by, as you prefer) line next to the signed-off-by. :)

https://www.kernel.org/doc/html/latest/process/submitting-patches.html?highlight=signed%20off#when-to-use-acked-by-cc-and-co-developed-by

@ferivoz
src/sulogin.c: Free previously allocated memory
c2d0a7b 
The sulogin program calls pw_entry in a loop while incorrect root
passwords are entered.

Free the previously allocated memory to avoid memory exhaustion.

Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
@hallyn hallyn merged commit 4d835c7 into shadow-maint:master Jan 22, 2024
@hallyn
Copy link
Member

hallyn commented Jan 22, 2024

It would be nice, if anyone feels included to do more with this code, to replace void pw_entry() with int pw_entry() which returns error if we run out of memory.

Furthermore, given doc/HOWTO note on AUTOSHADOW, which is referenced in this hunk, it seems like we ought to also drop that, and just refuse to compile if AUTOSHADOW is set.

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jan 22, 2024
edited
Loading

It would be nice, if anyone feels included to do more with this code, to replace void pw_entry() with int pw_entry() which returns error if we run out of memory.

Yup, I had this in my plans. @hallyn

Furthermore, given doc/HOWTO note on AUTOSHADOW, which is referenced in this hunk, it seems like we ought to also drop that, and just refuse to compile if AUTOSHADOW is set.

I don't even know what AUTOSHADOW is. I've been seeing that thing and trying to ignore it. :D
I'll have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alejandro-colomar alejandro-colomar alejandro-colomar approved these changes

@hallyn hallyn hallyn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ferivoz @alejandro-colomar @hallyn