You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If util-linux is configured with a plain ./configure, agetty crashes.
The reason is simple:
If ./configure is called without --with-vendordir=DIR on a system with libeconf, econf_readDirs is called with dist_conf_dir being NULL.
econf_readDirs called with dist_conf_dir=NULL crashes, as the code code does not check for NULL before calling strdup(). And strdup() does not sanitize NULL as well.
Reading the code, the same is apparently valid for etc_conf_dir.
And there are more occurrences of unsanitized strdup() calls on directory names in libeconf-0.7.2.
Either document that dist_conf_dir nor etc_conf_dir could not be NULL or perform sanity checks and provide a reasonable fallback.
In the first case, the bug will be moved to util-linux.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex-base.S:81
#1 0x00007f06d54aa752 in __GI___strdup (s=s@entry=0x0) at strdup.c:41
#2 0x00007f06d56fa26b in econf_readDirs (comment=0x41260f "#", delim=0x412601 "= \t", config_suffix=0x412605 "defs", config_name=0x412537 "login", etc_conf_dir=0x41260a "/etc",
dist_conf_dir=0x0, result=0x41b630 <file>) at ../lib/libeconf.c:510
#3 econf_readDirs (result=result@entry=0x41b630 <file>, dist_conf_dir=dist_conf_dir@entry=0x0, etc_conf_dir=etc_conf_dir@entry=0x41260a "/etc",
config_name=config_name@entry=0x412537 "login", config_suffix=config_suffix@entry=0x412605 "defs", delim=delim@entry=0x412601 "= \t", comment=0x41260f "#") at ../lib/libeconf.c:495
#4 0x0000000000409a18 in load_defaults () at lib/logindefs.c:257
#5 0x0000000000409cb5 in getlogindefs_bool (name=name@entry=0x41241a "LOGIN_PLAIN_PROMPT", dflt=dflt@entry=0) at lib/logindefs.c:326
#6 0x0000000000406b11 in main (argc=<optimized out>, argv=<optimized out>) at term-utils/agetty.c:490
(gdb) up
#1 0x00007f06d54aa752 in __GI___strdup (s=s@entry=0x0) at strdup.c:41
41 size_t len = strlen (s) + 1;
(gdb) up
#2 0x00007f06d56fa26b in econf_readDirs (comment=0x41260f "#", delim=0x412601 "= \t", config_suffix=0x412605 "defs", config_name=0x412537 "login", etc_conf_dir=0x41260a "/etc",
dist_conf_dir=0x0, result=0x41b630 <file>) at ../lib/libeconf.c:510
510 (*result)->parse_dirs[0] = strdup(dist_conf_dir);
(gdb) l
505 return ret;
506
507 (*result)->parse_dirs_count = 2;
508 (*result)->parse_dirs = calloc((*result)->parse_dirs_count+1, sizeof(char *));
509 (*result)->parse_dirs[(*result)->parse_dirs_count] = NULL;
510 (*result)->parse_dirs[0] = strdup(dist_conf_dir);
511 (*result)->parse_dirs[1] = strdup(etc_conf_dir);
512
513 return readConfigWithCallback(result,
514 config_name,
(gdb) p dist_conf_dir
$1 = 0x0```
The text was updated successfully, but these errors were encountered:
If util-linux is configured with a plain ./configure, agetty crashes.
The reason is simple:
If ./configure is called without --with-vendordir=DIR on a system with libeconf, econf_readDirs is called with dist_conf_dir being NULL.
econf_readDirs called with dist_conf_dir=NULL crashes, as the code code does not check for NULL before calling strdup(). And strdup() does not sanitize NULL as well.
Reading the code, the same is apparently valid for etc_conf_dir.
And there are more occurrences of unsanitized strdup() calls on directory names in libeconf-0.7.2.
Either document that dist_conf_dir nor etc_conf_dir could not be NULL or perform sanity checks and provide a reasonable fallback.
In the first case, the bug will be moved to util-linux.
The text was updated successfully, but these errors were encountered: