Mail Archives: cygwin/2014/05/07/14:49:32

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2014/05/07/14:49:32

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; q=dns; s=default; b=M5

f4PHXapdsky6OtyapVtmBN0sDMZjjt+JFw5x2l00I1ShaAGwUuc0XWxxFJFrOBqG

zcWJ6runS9hT+7s1fthuP4rUPR6Jz88FyCNV2TJgyfQCYQPHvXS1kmM0vYntr67z

f+di8d+MYpCGQ+R4f2iN5syANWGxa50GLjZs8r+WY=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; s=default; bh=j1UxncKQ

c3Fek/EBmznhXQOJIRs=; b=FU/tTpKbBpRXLxr+fkgZvYDpJOtYXbKR/+6PIU+M

90TXMtRdYIETwIhI6dtbN9i7tAEOJqNmHfGTgWXD3QrRkNmyDnXFBpp8YVkUmC+P

9zrhrtgY1/KJKu284/PNhhD3zw5TgnYY9SvS3sw45HsSLh/xvROSkLiTLbUwwwp4

4xY=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-5.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,FROM_LOCAL_NOVOWEL,HK_RANDOM_ENVFROM,HK_RANDOM_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2

X-HELO: mail-ve0-f179.google.com

MIME-Version: 1.0

X-Received: by 10.52.117.19 with SMTP id ka19mr1771514vdb.66.1399488548467; Wed, 07 May 2014 11:49:08 -0700 (PDT)

In-Reply-To: <20140507145736.GN30918@calimero.vinschen.de>

References: <5368525F DOT 2070301 AT shaddybaddah DOT name> <20140506163936 DOT GY30918 AT calimero DOT vinschen DOT de> <536920BB DOT 3080102 AT redhat DOT com> <20140506184915 DOT GA30918 AT calimero DOT vinschen DOT de> <20140507122218 DOT GF30918 AT calimero DOT vinschen DOT de> <20140507145736 DOT GN30918 AT calimero DOT vinschen DOT de>

Date: Wed, 7 May 2014 12:49:08 -0600

Message-ID: <CAJ1FpuPV8XmpFfgA-SfWo-9PfJ28gsC_7+zxup4QxNApTnJVXw@mail.gmail.com>

Subject: Re: snapshot 05/05: ssh segmentation fault within screen

From: Doug Henderson <djndnbvg AT gmail DOT com>

To: cygwin <cygwin AT cygwin DOT com>

X-IsSubscribed: yes

On Wed, May 7, 2014 at 8:57 AM, Corinna Vinschen wrote:
> On May  7 14:22, Corinna Vinschen wrote:
>> On May  6 20:49, Corinna Vinschen wrote:
>> > On May  6 11:49, Eric Blake wrote:
>> > > On 05/06/2014 10:39 AM, Corinna Vinschen wrote:
>> > >
>> > > > The problem, which I totally not realized since I started implementing
>> > > > this stuff is, that by propagating this cache to child processes, said
>> > > > child processes suffer from what the parent process does to the passwd
>> > > > structures in the cache.
>> > > >
>> > > > Screen seems to call getpwuid and then sets some of the pointers in the
>> > > > passwd structure it got from the call to NULL, apparently for some sort
>> > > > of security, this way overwriting the cached passwd struct for the
>> > >
>> > > Bug in screen.  POSIX states:
>> > >
>> > > http://pubs.opengroup.org/onlinepubs/9699919799/functions/getpwuid.html
>> > >
>> > > The application shall not modify the structure to which the return value
>> > > points, nor any storage areas pointed to by pointers within the
>> > > structure. The returned pointer, and pointers within the structure,
>> > > might be invalidated or the structure or the storage areas might be
>> > > overwritten by a subsequent call to getpwent(), getpwnam(), or getpwuid().
>> >
>> > Oh, wow.  However, what if screen (thinks it) never calls getpwuid or
>> > getpwnam again.  In that case it may do whatever it wants with the
>> > pointers inside the returned passwd structure, doesn't it?  It certainly
>> > doesn't have to expect sharing with another process.
>> >
>> > > > current user.  Ssh on the other hand tries to copy the passwd structure,
>> > > > but it never checks for NULL pointers because, well, the passwd
>> > > > structure never contains NULL pointers.
>> > > >
>> > > > This annihilates every advantage the cygheap caching has.
>> > >
>> > > Caching still sounds correct, let's fix the bug in screen instead of
>> > > bloating cygwin to work around it.  Or maybe find a way to cause a SEGV
>> > > in any process that tries to write into the pointer returned by getpwuid
>> > > and friends, to help them realize their bug, rather than the current
>> > > state of propagating the broken memory to other processes.
>> >
>> > Hmm, I'd have to allocate a full 4K page for this.  Also, ssh called
>> > from screen works fine on Linux, even if the above behaviour is buggy...
>> >
>> > > Maybe you
>> > > just memcpy the result out of the cache into local memory, instead of
>> > > returning a pointer into the actual cygheap cache.
>> >
>> > Yes, that's what I was coming to realize, too.  I'm going to copy the
>> > entire entry to local storage and return a pointer to that.
>>
>> I created a matching patch.  Please give the today's developer snapshot
>> from http://cygwin.com/snapshots/ a try.
>
> I just created another snapshot.  The former snapshot had an off
> by one bug so the passwd buffer given to the application was one
> byte short.  Please make sure to try the snapshot with timestamp
> 14:55:24 (x86) or 14:55:06 (x86_64).
>
>
> Sorry,
> Corinna
>

It sounds like the result of using the Microsoft Account connected to
a regular account instead of using the regular account directly has
both a static and dynamic component. This suggests that the behavior
could be modeled by a regular account log in, immediately followed by
a chgrp which is dependant on the type of regular account, or some
other variation of su and chgrp actions.


Doug

-- 
Doug Henderson, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=M5
	f4PHXapdsky6OtyapVtmBN0sDMZjjt+JFw5x2l00I1ShaAGwUuc0XWxxFJFrOBqG
	zcWJ6runS9hT+7s1fthuP4rUPR6Jz88FyCNV2TJgyfQCYQPHvXS1kmM0vYntr67z
	f+di8d+MYpCGQ+R4f2iN5syANWGxa50GLjZs8r+WY=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; s=default; bh=j1UxncKQ
	c3Fek/EBmznhXQOJIRs=; b=FU/tTpKbBpRXLxr+fkgZvYDpJOtYXbKR/+6PIU+M
	90TXMtRdYIETwIhI6dtbN9i7tAEOJqNmHfGTgWXD3QrRkNmyDnXFBpp8YVkUmC+P
	9zrhrtgY1/KJKu284/PNhhD3zw5TgnYY9SvS3sw45HsSLh/xvROSkLiTLbUwwwp4
	4xY=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-5.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,FROM_LOCAL_NOVOWEL,HK_RANDOM_ENVFROM,HK_RANDOM_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2
X-HELO:	mail-ve0-f179.google.com
MIME-Version:	1.0
X-Received:	by 10.52.117.19 with SMTP id ka19mr1771514vdb.66.1399488548467; Wed, 07 May 2014 11:49:08 -0700 (PDT)
In-Reply-To:	<20140507145736.GN30918@calimero.vinschen.de>
References:	<5368525F DOT 2070301 AT shaddybaddah DOT name> <20140506163936 DOT GY30918 AT calimero DOT vinschen DOT de> <536920BB DOT 3080102 AT redhat DOT com> <20140506184915 DOT GA30918 AT calimero DOT vinschen DOT de> <20140507122218 DOT GF30918 AT calimero DOT vinschen DOT de> <20140507145736 DOT GN30918 AT calimero DOT vinschen DOT de>
Date:	Wed, 7 May 2014 12:49:08 -0600
Message-ID:	<CAJ1FpuPV8XmpFfgA-SfWo-9PfJ28gsC_7+zxup4QxNApTnJVXw@mail.gmail.com>
Subject:	Re: snapshot 05/05: ssh segmentation fault within screen
From:	Doug Henderson <djndnbvg AT gmail DOT com>
To:	cygwin <cygwin AT cygwin DOT com>
X-IsSubscribed:	yes