Bug 11771 - Changing the password of another user as root causes 'passwd' to crash
Summary: Changing the password of another user as root causes 'passwd' to crash
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.29.x
Hardware: PC Linux
: P5 major
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-10 15:23 UTC by Herve GOURMELON
Modified: 2019-04-28 15:03 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Herve GOURMELON 2019-04-10 15:23:33 UTC 
I'm working on a Busybox applet compiled with shadow passwords enabled and Linux-PAM options also enabled.

For a given user 'johndoe', attempting to change the password as root causes the 'passwd' applet to crash, as shown below. Also affects 'adduser' when the administrator is asked to define the new password for the new user.


[root@C600-newKontron ~]# passwd johndoe 
Changing password for johndoe
New password: 
Retype password: 
*** Error in `passwd': free(): invalid pointer: 0x080d84dc ***
======= Backtrace: =========
/lib/libc.so.6(+0x6f620)[0xb75bf620]
/lib/libc.so.6(+0x75a22)[0xb75c5a22]
/lib/libc.so.6(+0x7620d)[0xb75c620d]
passwd[0x80527e6]
======= Memory map: ========
08048000-080da000 r-xp 00000000 b3:03 92         /bin/busybox
080da000-080db000 rw-p 00091000 b3:03 92         /bin/busybox
080db000-080fc000 rw-p 00000000 00:00 0          [heap]
b7506000-b751b000 r-xp 00000000 b3:03 65550      /lib/libgcc_s.so.1
b751b000-b751c000 rw-p 00014000 b3:03 65550      /lib/libgcc_s.so.1
b751f000-b752a000 r-xp 00000000 b3:03 65532      /lib/libnss_files-2.20.so
b752a000-b752b000 r--p 0000a000 b3:03 65532      /lib/libnss_files-2.20.so
b752b000-b752c000 rw-p 0000b000 b3:03 65532      /lib/libnss_files-2.20.so
b752c000-b752e000 rw-p 00000000 00:00 0 
b752e000-b7531000 r-xp 00000000 b3:03 65539      /lib/libdl-2.20.so
b7531000-b7532000 r--p 00002000 b3:03 65539      /lib/libdl-2.20.so
b7532000-b7533000 rw-p 00003000 b3:03 65539      /lib/libdl-2.20.so
b7533000-b754b000 r-xp 00000000 b3:03 65525      /lib/libpthread-2.20.so
b754b000-b754d000 r--p 00017000 b3:03 65525      /lib/libpthread-2.20.so
b754d000-b754e000 rw-p 00019000 b3:03 65525      /lib/libpthread-2.20.so
b754e000-b7550000 rw-p 00000000 00:00 0 
b7550000-b76f8000 r-xp 00000000 b3:03 65456      /lib/libc-2.20.so
b76f8000-b76fb000 r--p 001a7000 b3:03 65456      /lib/libc-2.20.so
b76fb000-b76fd000 rw-p 001aa000 b3:03 65456      /lib/libc-2.20.so
b76fd000-b7700000 rw-p 00000000 00:00 0 
b7700000-b7714000 r-xp 00000000 b3:03 65459      /lib/libresolv-2.20.so
b7714000-b7716000 r--p 00013000 b3:03 65459      /lib/libresolv-2.20.so
b7716000-b7717000 rw-p 00015000 b3:03 65459      /lib/libresolv-2.20.so
b7717000-b7719000 rw-p 00000000 00:00 0 
b7719000-b771b000 r-xp 00000000 b3:03 65464      /lib/libpam_misc.so.0.82.0
b771b000-b771c000 rw-p 00001000 b3:03 65464      /lib/libpam_misc.so.0.82.0
b771c000-b7726000 r-xp 00000000 b3:03 65549      /lib/libpam.so.0.83.1
b7726000-b7727000 rw-p 00009000 b3:03 65549      /lib/libpam.so.0.83.1
b7727000-b7742000 r-xp 00000000 b3:03 473        /usr/lib/libtirpc.so.3.0.0
b7742000-b7743000 rw-p 0001b000 b3:03 473        /usr/lib/libtirpc.so.3.0.0
b7744000-b7747000 rw-p 00000000 00:00 0 
b7747000-b7749000 r--p 00000000 00:00 0          [vvar]
b7749000-b774a000 r-xp 00000000 00:00 0          [vdso]
b774a000-b776c000 r-xp 00000000 b3:03 65455      /lib/ld-2.20.so
b776c000-b776d000 r--p 00021000 b3:03 65455      /lib/ld-2.20.so
b776d000-b776e000 rw-p 00022000 b3:03 65455      /lib/ld-2.20.so
bfe4a000-bfe6b000 rw-p 00000000 00:00 0          [stack]
Aborted
[root@C600-newKontron ~]#


The culprit seems to be an incorrectly initialized pointer in function  new_password() (loginutils/passwd.c) that we try to free when the function exits. 
Here's a patch that seemingly fixes the problem:

diff -urBN busybox-1.29.3/loginutils/passwd.c busybox-1.29.3-new/loginutils/passwd.c
--- busybox-1.29.3/loginutils/passwd.c  2018-07-02 13:23:06.000000000 +0200
+++ busybox-1.29.3-new/loginutils/passwd.c      2019-04-10 17:03:51.649975516 +0200
@@ -43,7 +43,7 @@
 static char* new_password(const struct passwd *pw, uid_t myuid, const char *algo)
 {
        char salt[MAX_PW_SALT_LEN];
-       char *orig = (char*)"";
+       char *orig = NULL;//(char*)"";
        char *newp = NULL;
        char *cp = NULL;
        char *ret = NULL; /* failure so far */
Comment 1 Herve GOURMELON 2019-04-10 16:04:52 UTC 
Wrong patch, indented with spaces instead of tabulations. Here is the correct version:

diff -urBN busybox-1.29.3/loginutils/passwd.c busybox-1.29.3-new/loginutils/passwd.c
--- busybox-1.29.3/loginutils/passwd.c  2018-07-02 13:23:06.000000000 +0200
+++ busybox-1.29.3-new/loginutils/passwd.c      2019-04-10 17:03:51.649975516 +0200
@@ -43,7 +43,7 @@
 static char* new_password(const struct passwd *pw, uid_t myuid, const char *algo)
 {
 	char salt[MAX_PW_SALT_LEN];
-	char *orig = (char*)"";
+	char *orig = NULL;//(char*)"";
 	char *newp = NULL;
 	char *cp = NULL;
 	char *ret = NULL; /* failure so far */
Comment 2 Denys Vlasenko 2019-04-28 15:03:23 UTC 
fixed in git:

commit ce51140664d82300d25b096b4a41f01fdfd766b3
Author: Einar Jón <tolvupostur@gmail.com>
Date:   Tue Jan 8 16:31:37 2019 +0100

    passwd: initialize pointers correctly