From roth@segfault.cso.uiuc.edu Thu Mar 9 12:37:55 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA11162
for <bugs@RT-11.MIT.EDU>; Thu, 9 Mar 2000 12:37:51 -0500 (EST)
Received: from segfault.cso.uiuc.edu by MIT.EDU with SMTP
id AA01587; Thu, 9 Mar 00 12:37:33 EST
Received: (from roth@localhost)
by segfault.cso.uiuc.edu (8.10.0/8.10.0) id e29HbZf35468;
Thu, 9 Mar 2000 11:37:35 -0600
Message-Id: <20000309113734.A15932@segfault.cso.uiuc.edu>
Date: Thu, 9 Mar 2000 11:37:34 -0600
From: "Mark D. Roth" <roth@uiuc.edu>
To: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
Subject: AIX 4.2.1 bug
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Apr 18 20:13:00 2000
State-Changed-Why:
fixed by raeburn
Content-Type: text/plain; charset=us-ascii
There's a subtle but potentially serious bug in the AIX-specific
section of the login.krb5 code which can cause a user to be logged in
as a user other than himself. We only discovered the problem by using
some custom code modifications, but it's definitely a potential
problem in the login.krb5 code which should be fixed.
The problem is that the global pwd value is set early on to point to
the user's passwd entry, then the AIX getuserattr() function is
called, and then the value of pwd is used again afterwards. However,
getuserattr() is unsafe to use in conjunction with the getpwent()
routines (presumably because it uses the same static memory location).
From the AIX getuserattr() manpage:
Attention: These subroutines and the setpwent and setgrent subroutines
should not be used simultaneously. The results can be unpredictable.
I've attached a patch relative to krb5-1.0.6 which fixes this problem,
but it looks like the problem still exists in 1.1.1 as well.
Please let me know if you have any questions or problems.
--
Mark D. Roth <roth@uiuc.edu>
System Administrator, CCSO Production Systems Group
http://www.uiuc.edu/ph/www/roth
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="krb5-1.0.6-aix-fixes.diff"
--- krb5-1.0.6/src/appl/bsd/login.c Mon Mar 6 21:49:22 2000
+++ krb5-1.0.6-orig/src/appl/bsd/login.c Mon Mar 6 21:50:14 2000
@@ -2531,9 +2531,21 @@
#ifdef _IBMR2
update_ref_count(int adj)
{
+ struct passwd *save_pwd;
static char *empty = "\0";
char *grp;
int i;
+
+ /* save pwd before calling getuserattr() */
+ save_pwd = (struct passwd *)malloc(sizeof(struct passwd));
+ save_pwd->pw_name = strdup(pwd->pw_name);
+ save_pwd->pw_passwd = strdup(pwd->pw_passwd);
+ save_pwd->pw_uid = pwd->pw_uid;
+ save_pwd->pw_gid = pwd->pw_gid;
+ save_pwd->pw_gecos = strdup(pwd->pw_gecos);
+ save_pwd->pw_dir = strdup(pwd->pw_dir);
+ save_pwd->pw_shell = strdup(pwd->pw_shell);
+ pwd = save_pwd;
/* Update reference count on all user's temporary groups */
setuserdb(S_READ|S_WRITE);
--d6Gm4EdcadzBjdND--
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA11162
for <bugs@RT-11.MIT.EDU>; Thu, 9 Mar 2000 12:37:51 -0500 (EST)
Received: from segfault.cso.uiuc.edu by MIT.EDU with SMTP
id AA01587; Thu, 9 Mar 00 12:37:33 EST
Received: (from roth@localhost)
by segfault.cso.uiuc.edu (8.10.0/8.10.0) id e29HbZf35468;
Thu, 9 Mar 2000 11:37:35 -0600
Message-Id: <20000309113734.A15932@segfault.cso.uiuc.edu>
Date: Thu, 9 Mar 2000 11:37:34 -0600
From: "Mark D. Roth" <roth@uiuc.edu>
To: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
Subject: AIX 4.2.1 bug
Show quoted text
>Number: 831
>Category: pending
>Synopsis: AIX 4.2.1 bug
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Mar 9 12:38:00 EST 2000
>Last-Modified: Tue Apr 18 20:13:12 EDT 2000
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Category: pending
>Synopsis: AIX 4.2.1 bug
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Mar 9 12:38:00 EST 2000
>Last-Modified: Tue Apr 18 20:13:12 EDT 2000
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Apr 18 20:13:00 2000
State-Changed-Why:
fixed by raeburn
Show quoted text
>Unformatted:
--d6Gm4EdcadzBjdNDContent-Type: text/plain; charset=us-ascii
There's a subtle but potentially serious bug in the AIX-specific
section of the login.krb5 code which can cause a user to be logged in
as a user other than himself. We only discovered the problem by using
some custom code modifications, but it's definitely a potential
problem in the login.krb5 code which should be fixed.
The problem is that the global pwd value is set early on to point to
the user's passwd entry, then the AIX getuserattr() function is
called, and then the value of pwd is used again afterwards. However,
getuserattr() is unsafe to use in conjunction with the getpwent()
routines (presumably because it uses the same static memory location).
From the AIX getuserattr() manpage:
Attention: These subroutines and the setpwent and setgrent subroutines
should not be used simultaneously. The results can be unpredictable.
I've attached a patch relative to krb5-1.0.6 which fixes this problem,
but it looks like the problem still exists in 1.1.1 as well.
Please let me know if you have any questions or problems.
--
Mark D. Roth <roth@uiuc.edu>
System Administrator, CCSO Production Systems Group
http://www.uiuc.edu/ph/www/roth
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="krb5-1.0.6-aix-fixes.diff"
--- krb5-1.0.6/src/appl/bsd/login.c Mon Mar 6 21:49:22 2000
+++ krb5-1.0.6-orig/src/appl/bsd/login.c Mon Mar 6 21:50:14 2000
@@ -2531,9 +2531,21 @@
#ifdef _IBMR2
update_ref_count(int adj)
{
+ struct passwd *save_pwd;
static char *empty = "\0";
char *grp;
int i;
+
+ /* save pwd before calling getuserattr() */
+ save_pwd = (struct passwd *)malloc(sizeof(struct passwd));
+ save_pwd->pw_name = strdup(pwd->pw_name);
+ save_pwd->pw_passwd = strdup(pwd->pw_passwd);
+ save_pwd->pw_uid = pwd->pw_uid;
+ save_pwd->pw_gid = pwd->pw_gid;
+ save_pwd->pw_gecos = strdup(pwd->pw_gecos);
+ save_pwd->pw_dir = strdup(pwd->pw_dir);
+ save_pwd->pw_shell = strdup(pwd->pw_shell);
+ pwd = save_pwd;
/* Update reference count on all user's temporary groups */
setuserdb(S_READ|S_WRITE);
--d6Gm4EdcadzBjdND--