This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: snapshot 05/05: ssh segmentation fault within screen

On May  6 20:49, Corinna Vinschen wrote:
> On May  6 11:49, Eric Blake wrote:
> > On 05/06/2014 10:39 AM, Corinna Vinschen wrote:
> > 
> > > The problem, which I totally not realized since I started implementing
> > > this stuff is, that by propagating this cache to child processes, said
> > > child processes suffer from what the parent process does to the passwd
> > > structures in the cache.
> > > 
> > > Screen seems to call getpwuid and then sets some of the pointers in the
> > > passwd structure it got from the call to NULL, apparently for some sort
> > > of security, this way overwriting the cached passwd struct for the
> > 
> > Bug in screen.  POSIX states:
> > 
> >
> > 
> > The application shall not modify the structure to which the return value
> > points, nor any storage areas pointed to by pointers within the
> > structure. The returned pointer, and pointers within the structure,
> > might be invalidated or the structure or the storage areas might be
> > overwritten by a subsequent call to getpwent(), getpwnam(), or getpwuid().
> Oh, wow.  However, what if screen (thinks it) never calls getpwuid or
> getpwnam again.  In that case it may do whatever it wants with the
> pointers inside the returned passwd structure, doesn't it?  It certainly
> doesn't have to expect sharing with another process.
> > > current user.  Ssh on the other hand tries to copy the passwd structure,
> > > but it never checks for NULL pointers because, well, the passwd
> > > structure never contains NULL pointers.
> > > 
> > > This annihilates every advantage the cygheap caching has.
> > 
> > Caching still sounds correct, let's fix the bug in screen instead of
> > bloating cygwin to work around it.  Or maybe find a way to cause a SEGV
> > in any process that tries to write into the pointer returned by getpwuid
> > and friends, to help them realize their bug, rather than the current
> > state of propagating the broken memory to other processes.
> Hmm, I'd have to allocate a full 4K page for this.  Also, ssh called
> from screen works fine on Linux, even if the above behaviour is buggy...
> > Maybe you
> > just memcpy the result out of the cache into local memory, instead of
> > returning a pointer into the actual cygheap cache.
> Yes, that's what I was coming to realize, too.  I'm going to copy the
> entire entry to local storage and return a pointer to that.

I created a matching patch.  Please give the today's developer snapshot
from a try.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpFKZJe48lnf.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]