openssh bugs - Jul 2010 - [Bug 1794] New: sshd segfault when calling pam_authenticate() in pam_unix module which has option "try_first_pass"

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

           Summary: sshd segfault when calling pam_authenticate() in
                    pam_unix module which has option "try_first_pass"
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: HPPA
        OS/Version: HP-UX
            Status: NEW
          Severity: critical
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: bitman.zhou at centrify.com


OS: HP-UX hpux23 B.11.23 U 9000/785 2009445268 unlimited-user license
GCC: gcc version 4.4.3 (GCC), downloaded from HP's website
pam.conf:

sshd     auth required  libpam_hpsec.so.1  
sshd     auth required  libpam_unix.so.1  try_first_pass

No such issue if no option "try_first_pass" or with option
"get_first_pass".

------- gdb trace -----

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering

Program received signal SIGSEGV, Segmentation fault
  si_code: 0 - SEGV_UNKNOWN - Unknown Error.
0x7af6a57c in crypt+0x154 () from /usr/lib/libc.2
(gdb) bt
#0  0x7af6a57c in crypt+0x154 () from /usr/lib/libc.2
#1  0x7ab9b928 in pwd_crypt+0x2c () from
/usr/lib/security/libpam_unix.so.1
#2  0x7ab90f40 in <unknown_procedure> + 0x1c0 () from
/usr/lib/security/libpam_unix.so.1
#3  0x7ab90910 in pam_sm_authenticate+0x588 () from
/usr/lib/security/libpam_unix.so.1
#4  0x7abd02ac in pam_authenticate+0xd0 () from /usr/lib/libpam.1
#5  0x26934 in sshpam_auth_passwd (authctxt=0x400118d8,
password=0x73745f72 <Error reading address 0x73745f72: Bad address>)
    at auth-pam.c:1208
#6  0xced4 in auth_password (authctxt=0x6, password=0x72656164 <Error
reading address 0x72656164: Bad address>)
    at auth-passwd.c:116
#7  0x20f38 in mm_answer_authpassword (sock=1073813720, m=0x400039fc)
at monitor.c:740
#8  0x21734 in monitor_read (pmonitor=0x40011920, ent=0x40001600,
pent=0x5b800) at monitor.c:493
#9  0x21b98 in monitor_child_preauth (_authctxt=0x40008f40,
pmonitor=0x40017b48) at monitor.c:369
#10 0xbdfc in main (ac=2139031728, av=0x40001684) at sshd.c:641
(gdb)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

--- Comment #1 from Bitman Zhou <bitman.zhou at centrify.com>  ---
It seems that libpam on HP-UX needs to be linked with "-Z" option. The
patch below can fix this issue.

-bash-4.0$ diff -rc Makefile.in.orig Makefile.in 
*** Makefile.in.orig    Tue Jul 13 16:52:31 2010
--- Makefile.in Tue Jul 13 16:53:23 2010
***************
*** 4,9 ****
--- 4,10 ----
  #SHELL = @SH@

  AUTORECONF=autoreconf
+ PLATFORM := $(shell uname)

  prefix=@prefix@
  exec_prefix=@exec_prefix@
***************
*** 142,148 ****
--- 143,153 ----
        $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat
$(LIBS)

  sshd$(EXEEXT): libssh.a       $(LIBCOMPAT) $(SSHDOBJS)
+ ifeq (${PLATFORM},HP-UX)
+       $(LD) -o $@ $(SSHDOBJS) -Wl,-Z $(LDFLAGS) -lssh
-lopenbsd-compat $(SSHDLIBS) $(LIBS)
+ else
        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat
$(SSHDLIBS) $(LIBS)
+ endif

  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
        $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh
-lopenbsd-compat $(LIBS)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1708

--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  ---
what does the -Z option on HP-UX actually do and why does it help in
this case?  if it's really needed, the correct place to put it is in
the hpux section of configure.ac

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  ---
OK, so the manual page says: 
" -Z

    Allow run-time dereferencing of null pointers. See the discussions
of -Z and pointers in cc(1). (This is the complement of the -z
option.)"

There's a related GCC bug
(http://gcc.gnu.org/bugzilla/show_bug.cgi?id=33548) which says

"There is a patch for libpam which should fix the
null pointer reference available from HP.  It is HP patch PHCO_37076."

It looks like this is purely a bug in HP-UX's libpam.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #4 from Darren Tucker <dtucker at zip.com.au>  ---
We don't like to work things that are clearly vendor bugs and for which
patches exist.  We've decided not to change this, in part because we're
concerned that it might enable an exploit that would otherwise not be
possible due to a null pointer deref.

Thanks anyway, and sorry.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1794

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Darren Tucker <dtucker at zip.com.au>  ---
With the release of OpenSSH 5.6p1 this bug is now considered closed. 
If you have further problems please reopen or file a new bug as
appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.