Closed sbrahul closed 2 years ago
Which version are you using?
I really don't see how this is an error in the current release. If nothing is read from the file, it doesn't allocate any memory, and just returns an error.
Plus, if the configuration file is empty. the module won't do anything useful.
This bug report is essentially "I did something bad, and something bad happened". Well... don't do that.
The problem is that it's not returning an error. The process crashes. I am locked out of my system because the config file became empty. I agree that the config file shouldn't be empty, but that shouldn't cause me to lock me out of my system. The ssh/login process crashes. It doesn't even reach my backup pam_unix due to this.
You can answer Jorge's question, too.
This is not an issue in the recent release. If you're running something 5-10 years old, then the issue has already been fixed.
And if you misconfigure the system, bad things happen. So... don't do that.
I compiled from source with the latest code. And I found the problem using gdb. The code is calling fclose() twice causing an abort:
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7dce859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e393ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f63285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7e4147c in malloc_printerr (str=str@entry=0x7ffff7f655d0 "free(): double free detected in tcache 2") at malloc.c:5347
#4 0x00007ffff7e430ed in _int_free (av=0x7ffff7f94b80 <main_arena>, p=0x55555555a690, have_lock=0) at malloc.c:4201
#5 0x00007ffff7e2e043 in _IO_deallocate_file (fp=0x55555555a6a0) at libioP.h:863
#6 _IO_new_fclose (fp=0x55555555a6a0) at iofclose.c:74
#7 0x00007ffff7fc0a8b in initialize (conf=0x7fffffffb850, accounting=0) at pam_radius_auth.c:892
#8 0x00007ffff7fc1a3f in pam_sm_authenticate (pamh=0x55555555a340, flags=0, argc=1, argv=0x55555555b8b0) at pam_radius_auth.c:134
When the file is empty, there is an fclose in line 869 and then again in 892 causing a crash:
753 fp = fopen (conf->conf_file, "r");
(gdb) n
754 if (!fp) {
(gdb)
762 conf->server = NULL;
(gdb)
763 last = &conf->server;
(gdb)
768 while (!feof(fp) && (fgets (buffer, sizeof(buffer), fp) != NULL) && (!ferror(fp))) {
(gdb)
869 fclose(fp);
(gdb) n
871 if (!conf->server) { /* no server found, die a horrible death */
(gdb)
872 _pam_log(LOG_ERR, "No RADIUS server found in configuration file %s\n",
(gdb)
874 goto error;
(gdb)
892 fclose(fp);
Performing an fclose() at 896 should ideally set the fp to NULL and then at line 892 should check for NULL before closing again.
When the configuration file (/etc/pam_radius_auth.conf) file is empty, looks like there is a double free and that causes an abort. Here is the error message:
I have faced this issue in both a real scenario and when testing using pamtester.