32164 – PAM testsuite fails pam_deny test on release/2.40/master since recent commit (e24902f409994f226dbc6fde2476009df452a18f)

Bug 32164 - PAM testsuite fails pam_deny test on release/2.40/master since recent commit (e24902f409994f226dbc6fde2476009df452a18f)

Summary: PAM testsuite fails pam_deny test on release/2.40/master since recent commit ...

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-09-11 02:21 UTC by Sam James
Modified:	2024-09-11 14:11 UTC (History)
CC List:	3 users (show)

See Also:	https://bugs.gentoo.org/show_bug.cgi?id=939446 27821 32137
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James 2024-09-11 02:21:35 UTC

Originally reported downstream in Gentoo at https://bugs.gentoo.org/939446.

PAM seems to fail its pam_deny test for 32-bit. The relevant code was added in e24902f409994f226dbc6fde2476009df452a18f (ungetc: Fix backup buffer leak on program exit [BZ #27821]').

Summarising my notes from over there:
```
/var/tmp/portage/sys-libs/pam-1.6.1/work/Linux-PAM-1.6.1-abi_x86_32.x86/modules/pam_deny # libtool --mode=execute gdb --args ./tst-pam_deny-retval
Program received signal SIGSEGV, Segmentation fault.
0xf7da1312 in _IO_unbuffer_all () at genops.c:822
822           if (fp->_mode > 0 && _IO_have_wbackup (fp))
(gdb) bt
#0  0xf7da1312 in _IO_unbuffer_all () at genops.c:822
#1  _IO_cleanup () at genops.c:885
#2  0xf7d495b8 in __run_exit_handlers (status=<optimized out>, listp=<optimized out>, run_list_atexit=<optimized out>, run_dtors=<optimized out>) at exit.c:129
#3  0xf7d49613 in __GI_exit (status=0) at exit.c:138
#4  0xf7d293d3 in __libc_start_call_main (main=main@entry=0x56556e50 <main>, argc=argc@entry=1, argv=argv@entry=0xffffd314) at ../sysdeps/nptl/libc_start_call_main.h:74
#5  0xf7d29499 in __libc_start_main_impl (main=0x56556e50 <main>, argc=1, argv=0xffffd314, init=0x0, fini=0x0, rtld_fini=0xf7fca2e0 <_dl_fini>, stack_end=0xffffd30c)
    at ../csu/libc-start.c:360
#6  0x56556d27 in _start ()
```

```
0xf7da1312 in _IO_unbuffer_all () at genops.c:822
822           if (fp->_mode > 0 && _IO_have_wbackup (fp))
(gdb) p fp
$1 = (FILE *) 0xf7f6b700 <_IO_stdin_>
(gdb) p fp->_mode
$2 = 1
(gdb) p *fp
$3 = {_flags = -72540024, _IO_read_ptr = 0x0, _IO_read_end = 0x0, _IO_read_base = 0x0, _IO_write_base = 0x0, _IO_write_ptr = 0x0, _IO_write_end = 0x0, _IO_buf_base = 0x0,
  _IO_buf_end = 0x0, _IO_save_base = 0x0, _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0, _chain = 0x0, _fileno = 0, _flags2 = 0, _old_offset = -1, _cur_column = 0,
  _vtable_offset = -72 '\270', _shortbuf = "", _lock = 0xf7f6c8d0 <_IO_stdfile_0_lock>, _offset = 4160138104, _codecvt = 0x0, _wide_data = 0x0, _freeres_list = 0x0, _freeres_buf = 0x0,
  _prevchain = 0x0, _mode = 1, _unused2 = "\030\244UV", '\000' <repeats 35 times>}
(gdb) call _IO_have_wbackup(fp)
Cannot access memory at address 0x24
```

```
(gdb) info macro _IO_have_wbackup
Defined at /usr/src/debug/sys-libs/glibc-2.40-r1/glibc-2.40/libio/libioP.h:581
  included at /usr/src/debug/sys-libs/glibc-2.40-r1/glibc-2.40/libio/genops.c:29
#define _IO_have_wbackup(fp) ((fp)->_wide_data->_IO_backup_base != NULL)
(gdb) p fp->_wide_data
$4 = (struct _IO_wide_data *) 0x0
(gdb) p fp->_IO_backup_base
$5 = 0x0
```

(In reply to Sam James from comment #4)
> ```
> 0xf7da1312 in _IO_unbuffer_all () at genops.c:822
> 822           if (fp->_mode > 0 && _IO_have_wbackup (fp))
> [...]

This was introduced in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=e24902f409994f226dbc6fde2476009df452a18f. We pulled in this commit in sys-libs/glibc-2.40-r1 as it's on release/2.40/master.

Comment 1 Sam James 2024-09-11 02:22:59 UTC

I'm not likely to reduce this tonight. I might have time tomorrow but I need to do some prep for cauldron still.

Comment 2 Sam James 2024-09-11 02:27:49 UTC

ae4d44b1d501421ad9a3af95279b8f4d1546f1ce ('libio: Attempt wide backup free only for non-legacy code') isn't on the branch.

Comment 3 Sam James 2024-09-11 02:53:57 UTC

(In reply to Sam James from comment #2)
> ae4d44b1d501421ad9a3af95279b8f4d1546f1ce ('libio: Attempt wide backup free
> only for non-legacy code') isn't on the branch.

... and indeed it fixes it.

Comment 4 Siddhesh Poyarekar 2024-09-11 12:20:44 UTC

Thanks for doing the backports!

Comment 5 Florian Weimer 2024-09-11 12:43:33 UTC

Sam, do you think we can close this? Thanks.

Comment 6 Sam James 2024-09-11 14:11:52 UTC

I think we're good now. Many thanks.