[Bug 263893] pam_exec.so in auth stack with expose_authtok option makes su segfault

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 263893] pam_exec.so in auth stack with expose_authtok option makes su segfault"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 10 May 2022 13:53:22 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893

titus m <titus@edc.ro> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |titus@edc.ro

--- Comment #1 from titus m <titus@edc.ro> ---
from pam_exec(8)
expose_authtok
             Write the authentication token to the program's standard input
             stream, followed by a NUL character.  Ignored for
             pam_sm_setcred().


problem is that it is not ignored
when code _pam_exec() is trying to retrieve the auth token when it is called
from pam_sm_setcred pam_get_item will set item to null; PAM_AUTHTOK item is set
to null when pam_authenticate finishes
then a strlen is performed on null and it segfaults

if (options->use_first_pass ||
                    strcmp(func, "pam_sm_setcred") == 0) {
                        /* don't prompt, only expose existing token */
                        rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
                        authtok = item;
                } 
......
  authtok_size = strlen(authtok) + 1; // <= bombs here

-- 
You are receiving this mail because:
You are the assignee for the bug.