Bug 27330

Summary: Improper return code checking of getpwnam_r in pkexec, causing segfault
Product: PolicyKit Reporter: Dan Rosenberg <dan.j.rosenberg>
Component: libpolkitAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED FIXED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Fix for bad return check on getpwnam_r

Description Dan Rosenberg 2010-03-26 08:42:50 UTC 
Created attachment 34487 [details] [review]
Fix for bad return check on getpwnam_r

In pkexec.c, user information is looked up using getpwnam_r.  The program checks if the return code is not zero, which would indicate an error, and terminates if so.  However, if no error occurs and the user is not found in the password database, this function returns 0 and sets the result passwd struct to NULL (http://www.unix.com/man-page/Linux/3/getpwnam_r/) , but this is not checked.  As a result, when pwd is dereferenced later in the code, the program segfaults.  Confirm using:

pkexec --user doesnotexist /bin/ls

The attached patch includes an additional check that pwd is not NULL to prevent this crash.
Comment 1 David Zeuthen (not reading bugmail) 2010-03-26 10:30:42 UTC 
I think this was fixed with this commit

 http://cgit.freedesktop.org/PolicyKit/commit/?id=2a91f171e23a90aa837bdafe9bb4b3a66fddbb39
Comment 2 Dan Rosenberg 2010-03-26 10:33:24 UTC 
(In reply to comment #1)
> I think this was fixed with this commit
> 
> 
> http://cgit.freedesktop.org/PolicyKit/commit/?id=2a91f171e23a90aa837bdafe9bb4b3a66fddbb39
> 

Yep, sorry for the repeat.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.