From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 22 Jun 2015 14:53:01 +0200 Subject: Release version 1.2.1 Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise --- modules/pam_unix/pam_unix.8.xml | 7 +++++++ modules/pam_unix/pam_unix_passwd.c | 23 +++++++++++++++-------- modules/pam_unix/passverify.c | 5 ++++- modules/pam_unix/passverify.h | 2 +- modules/pam_unix/support.c | 7 ++++++- 5 files changed, 33 insertions(+), 11 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 40084023..a8b64bb5 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -79,6 +79,13 @@ needed for use with certain applications. + + The maximum length of a password supported by the pam_unix module + via the helper binary is PAM_MAX_RESP_SIZE + - currently 512 bytes. The rest of the password provided by the + conversation function to the module will be ignored. + + The password component of this module performs the task of updating the user's password. The default encryption hash is taken from the diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 2d330e51..c2e5de5e 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const /* wait for child */ /* if the stored password is NULL */ int rc=0; - if (fromwhat) - pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); - else - pam_modutil_write(fds[1], "", 1); - if (towhat) { - pam_modutil_write(fds[1], towhat, strlen(towhat)+1); + if (fromwhat) { + int len = strlen(fromwhat); + + if (len > PAM_MAX_RESP_SIZE) + len = PAM_MAX_RESP_SIZE; + pam_modutil_write(fds[1], fromwhat, len); } - else - pam_modutil_write(fds[1], "", 1); + pam_modutil_write(fds[1], "", 1); + if (towhat) { + int len = strlen(towhat); + + if (len > PAM_MAX_RESP_SIZE) + len = PAM_MAX_RESP_SIZE; + pam_modutil_write(fds[1], towhat, len); + } + pam_modutil_write(fds[1], "", 1); close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index b325602c..e79b55e6 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1115,12 +1115,15 @@ getuidname(uid_t uid) int read_passwords(int fd, int npass, char **passwords) { + /* The passwords array must contain npass preallocated + * buffers of length MAXPASS + 1 + */ int rbytes = 0; int offset = 0; int i = 0; char *pptr; while (npass > 0) { - rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); + rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); if (rbytes < 0) { if (errno == EINTR) continue; diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h index 3de67593..caf7ae8a 100644 --- a/modules/pam_unix/passverify.h +++ b/modules/pam_unix/passverify.h @@ -8,7 +8,7 @@ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT -#define MAXPASS 200 /* the maximum length of a password */ +#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ #define OLD_PASSWORDS_FILE "/etc/security/opasswd" diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index fdb45c20..abccd828 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, /* if the stored password is NULL */ int rc=0; if (passwd != NULL) { /* send the password to the child */ - if (write(fds[1], passwd, strlen(passwd)+1) == -1) { + int len = strlen(passwd); + + if (len > PAM_MAX_RESP_SIZE) + len = PAM_MAX_RESP_SIZE; + if (write(fds[1], passwd, len) == -1 || + write(fds[1], "", 1) == -1) { pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); retval = PAM_AUTH_ERR; } -- cgit v1.2.3