https://bugzilla.suse.com/show_bug.cgi?id=1227878 Bug ID: 1227878 Summary: econf_readDirs crashes if one of the paths is NULL Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: schubi@suse.com Reporter: sbrabec@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- If util-linux is configured with a plain ./configure, agetty crashes. The reason is simple: If ./configure is called without --with-vendordir=DIR on a system with libeconf, econf_readDirs is called with dist_conf_dir=0x0. And the code does not check for it before calling strdup(). Reading the code, the same is apparently valid for etc_conf_dir. And there are more occurrences of unsanitized strdup() calls on directory names. (gdb) bt #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex-base.S:81 #1 0x00007f06d54aa752 in __GI___strdup (s=s@entry=0x0) at strdup.c:41 #2 0x00007f06d56fa26b in econf_readDirs (comment=0x41260f "#", delim=0x412601 "= \t", config_suffix=0x412605 "defs", config_name=0x412537 "login", etc_conf_dir=0x41260a "/etc", dist_conf_dir=0x0, result=0x41b630 <file>) at ../lib/libeconf.c:510 #3 econf_readDirs (result=result@entry=0x41b630 <file>, dist_conf_dir=dist_conf_dir@entry=0x0, etc_conf_dir=etc_conf_dir@entry=0x41260a "/etc", config_name=config_name@entry=0x412537 "login", config_suffix=config_suffix@entry=0x412605 "defs", delim=delim@entry=0x412601 "= \t", comment=0x41260f "#") at ../lib/libeconf.c:495 #4 0x0000000000409a18 in load_defaults () at lib/logindefs.c:257 #5 0x0000000000409cb5 in getlogindefs_bool (name=name@entry=0x41241a "LOGIN_PLAIN_PROMPT", dflt=dflt@entry=0) at lib/logindefs.c:326 #6 0x0000000000406b11 in main (argc=<optimized out>, argv=<optimized out>) at term-utils/agetty.c:490 (gdb) up #1 0x00007f06d54aa752 in __GI___strdup (s=s@entry=0x0) at strdup.c:41 41 size_t len = strlen (s) + 1; (gdb) up #2 0x00007f06d56fa26b in econf_readDirs (comment=0x41260f "#", delim=0x412601 "= \t", config_suffix=0x412605 "defs", config_name=0x412537 "login", etc_conf_dir=0x41260a "/etc", dist_conf_dir=0x0, result=0x41b630 <file>) at ../lib/libeconf.c:510 510 (*result)->parse_dirs[0] = strdup(dist_conf_dir); (gdb) l 505 return ret; 506 507 (*result)->parse_dirs_count = 2; 508 (*result)->parse_dirs = calloc((*result)->parse_dirs_count+1, sizeof(char *)); 509 (*result)->parse_dirs[(*result)->parse_dirs_count] = NULL; 510 (*result)->parse_dirs[0] = strdup(dist_conf_dir); 511 (*result)->parse_dirs[1] = strdup(etc_conf_dir); 512 513 return readConfigWithCallback(result, 514 config_name, (gdb) p dist_conf_dir $1 = 0x0 -- You are receiving this mail because: You are on the CC list for the bug.