Skip Menu |
 

From: Erik Sjölund <erik.sjolund@gmail.com>
Date: Sun, 1 Apr 2018 16:22:19 +0200
Subject: ksu segfaults when argc == 0
To: krb5-bugs@mit.edu
Programs are generally started with argc >= 1,
but it is possible to start a program with an
empty argv (i.e. argc == 0).

Current behaviour:
ksu segfaults when started with argc == 0.

Expected behaviour:
I would expect ksu to just exit with an error
instead.

Here is a demonstration of the segmentation fault:

user@laptop:/tmp$ cat /etc/issue
Ubuntu 17.10 \n \l

user@laptop:/tmp$ cat main.cc
#include <unistd.h>
int main() {
char* arr[] = {nullptr};
execv("/usr/bin/ksu", arr);
}
user@laptop:/tmp$ g++ -std=c++11 -o /tmp/start main.cc
user@laptop:/tmp$ /tmp/start
Segmentation fault (core dumped)
user@laptop:/tmp$

Best regards,
Erik Sjölund
I think just about all of the programs in the krb5 source tree will seg
fault when argc is 0, and I'm generally not concerned about that. It
might make sense for ksu to be careful because it's setuid, although I
don't think getting a setuid program to perform a null dereference
constitutes a vulnerability (I don't think operating systems allow
setuid programs to dump core, for instance).
From: Tavis Ormandy <taviso@google.com>
Date: Tue, 24 Apr 2018 11:34:53 -0400
Subject: minor bug in ksu
To: krb5-bugs@mit.edu
CC: Thomas Dullien <thomasdullien@google.com>
Hello, I was looking at ksu and noticed this code from src/clients/ksu/main.c in the 1.16 distribution assumes that argc cannot be zero, but at least on Linux that is not true - if you pass NULL for argv to execve(), argc will be zero.

        target_user = xstrdup(argv[1]);
        pargc = argc -1;

        if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){
            com_err(prog_name, errno, _("while allocating memory"));
            exit(1);
        }

        pargv[pargc] = NULL;
        pargv[0] = argv[0];

        for(i =1; i< pargc; i ++){
            pargv[i] = argv[i + 1];
        }
    }

I think this will just crash, because of the strdup(NULL), but if that succeeds on any platform this code will write NULL to pargv[-1], causing heap corruption.

(on linux execve("/usr/bin/ksu", NULL, NULL) will make argc zero, if you want to test)

Thanks, Tavis.
If argc is 0, ksu should crash with a null dereference at line 144
where it does strlen() on argv[0]. I believe that happens with every
program in the MIT krb5 tree, but we have received reports of argc == 0
issues specifically for ksu twice this month, which seems odd. Out of
curiosity, can you explain how you arrived at this issue?
From: Tavis Ormandy <taviso@google.com>
Date: Tue, 24 Apr 2018 13:38:37 -0400
Subject: Re: [krbdev.mit.edu #8671] minor bug in ksu
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
No reason, just looking at the code for setuid root programs installed in RHEL.

On Tue, Apr 24, 2018 at 12:50 PM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
If argc is 0, ksu should crash with a null dereference at line 144
where it does strlen() on argv[0].  I believe that happens with every
program in the MIT krb5 tree, but we have received reports of argc == 0
issues specifically for ksu twice this month, which seems odd.  Out of
curiosity, can you explain how you arrived at this issue?

From: Tavis Ormandy <taviso@google.com>
Date: Tue, 24 Apr 2018 13:38:37 -0400
Subject: Re: [krbdev.mit.edu #8671] minor bug in ksu
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
No reason, just looking at the code for setuid root programs installed in RHEL.

On Tue, Apr 24, 2018 at 12:50 PM, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
If argc is 0, ksu should crash with a null dereference at line 144
where it does strlen() on argv[0].  I believe that happens with every
program in the MIT krb5 tree, but we have received reports of argc == 0
issues specifically for ksu twice this month, which seems odd.  Out of
curiosity, can you explain how you arrived at this issue?

From: ghudson@mit.edu
Subject: git commit

Check for zero argc in ksu

Most programs in the tree will perform a null dereference when argc is
zero, but as a setuid program ksu should be extra careful about memory
errors, even if this one is harmless. Check and exit with status 1
immediately.

https://github.com/krb5/krb5/commit/c5b0a998d6349f8c90821a347db5666aed0e50eb
Author: Greg Hudson <ghudson@mit.edu>
Commit: c5b0a998d6349f8c90821a347db5666aed0e50eb
Branch: master
src/clients/ksu/main.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
From: Erik Sjölund <erik.sjolund@gmail.com>
Date: Tue, 24 Apr 2018 23:20:32 +0200
Subject: Re: [krbdev.mit.edu #8661] git commit
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
CC: taviso@google.com
RT-Send-Cc:
A comment regarding the git commit:

https://github.com/krb5/krb5/commit/c5b0a998d6349f8c90821a347db5666aed0e50eb

The check for argc == 0 happens after the first use of argv[0].
Why not place the if statement right in the start of main()?

On Tue, Apr 24, 2018 at 10:10 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
>
> Check for zero argc in ksu
>
> Most programs in the tree will perform a null dereference when argc is
> zero, but as a setuid program ksu should be extra careful about memory
> errors, even if this one is harmless. Check and exit with status 1
> immediately.
>
> https://github.com/krb5/krb5/commit/c5b0a998d6349f8c90821a347db5666aed0e50eb
> Author: Greg Hudson <ghudson@mit.edu>
> Commit: c5b0a998d6349f8c90821a347db5666aed0e50eb
> Branch: master
> src/clients/ksu/main.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
From: Erik Sjölund <erik.sjolund@gmail.com>
Date: Tue, 24 Apr 2018 23:20:32 +0200
Subject: Re: [krbdev.mit.edu #8661] git commit
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
CC: taviso@google.com
RT-Send-Cc:
A comment regarding the git commit:

https://github.com/krb5/krb5/commit/c5b0a998d6349f8c90821a347db5666aed0e50eb

The check for argc == 0 happens after the first use of argv[0].
Why not place the if statement right in the start of main()?

On Tue, Apr 24, 2018 at 10:10 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
>
> Check for zero argc in ksu
>
> Most programs in the tree will perform a null dereference when argc is
> zero, but as a setuid program ksu should be extra careful about memory
> errors, even if this one is harmless. Check and exit with status 1
> immediately.
>
> https://github.com/krb5/krb5/commit/c5b0a998d6349f8c90821a347db5666aed0e50eb
> Author: Greg Hudson <ghudson@mit.edu>
> Commit: c5b0a998d6349f8c90821a347db5666aed0e50eb
> Branch: master
> src/clients/ksu/main.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
You're right; I thought I checked for prior uses but I guess I missed
them. Those uses of argv[0] are conditional and shouldn't actually
cause null dereferences if argv[0] is NULL, but given that they are
there, the check should be moved upwards.
From: ghudson@mit.edu
Subject: git commit

Move zero argc check earlier in ksu

For improved auditability, check for a zero argc value earlier in
main() so that the first two calls to com_err() can't pass a NULL
whoami value--which would be harmless, but that may not be obvious to
a reader.

https://github.com/krb5/krb5/commit/e1b5b824f5d7388a67d0854b56d3906c4fbdd778
Author: Greg Hudson <ghudson@mit.edu>
Commit: e1b5b824f5d7388a67d0854b56d3906c4fbdd778
Branch: master
src/clients/ksu/main.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
From: Erik Sjölund <erik.sjolund@gmail.com>
Date: Thu, 26 Apr 2018 17:27:04 +0200
Subject: Re: [krbdev.mit.edu #8661] git commit
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
CC: Tavis Ormandy <taviso@google.com>
RT-Send-Cc:
Thanks!
That makes it easier to read the code.


On Thu, Apr 26, 2018 at 5:22 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
>
> Move zero argc check earlier in ksu
>
> For improved auditability, check for a zero argc value earlier in
> main() so that the first two calls to com_err() can't pass a NULL
> whoami value--which would be harmless, but that may not be obvious to
> a reader.
>
> https://github.com/krb5/krb5/commit/e1b5b824f5d7388a67d0854b56d3906c4fbdd778
> Author: Greg Hudson <ghudson@mit.edu>
> Commit: e1b5b824f5d7388a67d0854b56d3906c4fbdd778
> Branch: master
> src/clients/ksu/main.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
From: Erik Sjölund <erik.sjolund@gmail.com>
Date: Thu, 26 Apr 2018 17:27:04 +0200
Subject: Re: [krbdev.mit.edu #8661] git commit
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
CC: Tavis Ormandy <taviso@google.com>
RT-Send-Cc:
Thanks!
That makes it easier to read the code.


On Thu, Apr 26, 2018 at 5:22 PM, Greg Hudson via RT
<rt-comment@krbdev.mit.edu> wrote:
Show quoted text
>
> Move zero argc check earlier in ksu
>
> For improved auditability, check for a zero argc value earlier in
> main() so that the first two calls to com_err() can't pass a NULL
> whoami value--which would be harmless, but that may not be obvious to
> a reader.
>
> https://github.com/krb5/krb5/commit/e1b5b824f5d7388a67d0854b56d3906c4fbdd778
> Author: Greg Hudson <ghudson@mit.edu>
> Commit: e1b5b824f5d7388a67d0854b56d3906c4fbdd778
> Branch: master
> src/clients/ksu/main.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>