*** glibc detected *** sudo: double free or corruption

Bug #553786 reported by Daniel Richard G. on 2010-04-02
74
This bug affects 12 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned

Bug Description

[SRU]

[Impact]
Lucid users who create a file in /etc/sudoers.d with incorrect permissions cause sudo to segfault, preventing them from using sudo to change the permissions.
(This works properly in later versions of sudo, such as Oneiric+)

[Test case]
1- Create a file in /etc/sudoers.d with 644 permissions
2- Attempt to use sudo
3- sudo should simply print a warning, and not segfault

[Regression potental]
This is the upstream patch that has been used for quite a while, and has passed the qa-regression-testing test suite. If there are regressions, I suppose it could be in the sudoers file handling.

Original description:
Lucid beta1, sudo 1.7.2p1-1ubuntu4. I added a file with incorrect permissions under /etc/sudoers.d/, and while that needed fixing, sudo(8) certainly shouldn't react like this:

$ sudo bash
sudo: /etc/sudoers.d/admin is mode 0644, should be 0440
>>> /etc/sudoers.d/README: /etc/sudoers.d/admin near line 18 <<<
sudo: parse error in /etc/sudoers.d/README near line 18
sudo: no valid sudoers sources found, quitting
*** glibc detected *** sudo: double free or corruption (!prev): 0x0861b7b0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b581)[0xa3a581]
/lib/tls/i686/cmov/libc.so.6(+0x6cdd8)[0xa3bdd8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xa3eebd]
/lib/tls/i686/cmov/libc.so.6(fclose+0x14a)[0xa2aa9a]
sudo[0x805782d]
sudo[0x80587c6]
sudo[0x805639e]
sudo[0x805a104]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x9e5bd6]
sudo[0x804a7c1]
======= Memory map: ========
002b1000-002b7000 r-xp 00000000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
002b7000-002b8000 r--p 00006000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
002b8000-002b9000 rw-p 00007000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
003bf000-003c9000 r-xp 00000000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
003c9000-003ca000 r--p 00009000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
003ca000-003cb000 rw-p 0000a000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
0045f000-00467000 r-xp 00000000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00467000-00468000 r--p 00007000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00468000-00469000 rw-p 00008000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00542000-0055f000 r-xp 00000000 08:07 16364 /lib/libgcc_s.so.1
0055f000-00560000 r--p 0001c000 08:07 16364 /lib/libgcc_s.so.1
00560000-00561000 rw-p 0001d000 08:07 16364 /lib/libgcc_s.so.1
0060b000-0060c000 r-xp 00000000 00:00 0 [vdso]
006e6000-006e8000 r-xp 00000000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
006e8000-006e9000 r--p 00001000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
006e9000-006ea000 rw-p 00002000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
0084e000-00869000 r-xp 00000000 08:07 16304 /lib/ld-2.11.1.so
00869000-0086a000 r--p 0001a000 08:07 16304 /lib/ld-2.11.1.so
0086a000-0086b000 rw-p 0001b000 08:07 16304 /lib/ld-2.11.1.so
008a5000-008ae000 r-xp 00000000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008ae000-008af000 r--p 00008000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008af000-008b0000 rw-p 00009000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008b0000-008d7000 rw-p 00000000 00:00 0
009cf000-00b22000 r-xp 00000000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b22000-00b23000 ---p 00153000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b23000-00b25000 r--p 00153000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b25000-00b26000 rw-p 00155000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b26000-00b29000 rw-p 00000000 00:00 0
00c5d000-00c68000 r-xp 00000000 08:07 16381 /lib/libpam.so.0.82.2
00c68000-00c69000 r--p 0000a000 08:07 16381 /lib/libpam.so.0.82.2
00c69000-00c6a000 rw-p 0000b000 08:07 16381 /lib/libpam.so.0.82.2
00e4f000-00e62000 r-xp 00000000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e62000-00e63000 r--p 00012000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e63000-00e64000 rw-p 00013000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e64000-00e66000 rw-p 00000000 00:00 0
08048000-08066000 r-xp 00000000 08:07 573495 /usr/bin/sudo
08066000-08067000 r--p 0001d000 08:07 573495 /usr/bin/sudo
08067000-08068000 rw-p 0001e000 08:07 573495 /usr/bin/sudo
08068000-0806b000 rw-p 00000000 00:00 0
08612000-08633000 rw-p 00000000 00:00 0 [heap]
b7600000-b7621000 rw-p 00000000 00:00 0
b7621000-b7700000 ---p 00000000 00:00 0
b7715000-b7754000 r--p 00000000 08:07 604029 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7754000-b7755000 r--p 00000000 08:07 604030 /usr/lib/locale/en_US.utf8/LC_NUMERIC
b7755000-b7756000 r--p 00000000 08:07 604031 /usr/lib/locale/en_US.utf8/LC_TIME
b7756000-b7757000 r--p 00000000 08:07 604033 /usr/lib/locale/en_US.utf8/LC_MONETARY
b7757000-b7758000 r--p 00000000 08:07 604035 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7758000-b775a000 rw-p 00000000 00:00 0
b775a000-b775b000 r--p 00000000 08:07 604036 /usr/lib/locale/en_US.utf8/LC_PAPER
b775b000-b775c000 r--p 00000000 08:07 604037 /usr/lib/locale/en_US.utf8/LC_NAME
b775c000-b775d000 r--p 00000000 08:07 604038 /usr/lib/locale/en_US.utf8/LC_ADDRESS
b775d000-b775e000 r--p 00000000 08:07 604039 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b775e000-b775f000 r--p 00000000 08:07 604040 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b775f000-b7766000 r--s 00000000 08:07 571542 /usr/lib/gconv/gconv-modules.cache
b7766000-b7767000 r--p 00000000 08:07 604041 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b7767000-b7769000 rw-p 00000000 00:00 0
bfe6a000-bfe7f000 rw-p 00000000 00:00 0 [stack]
Aborted

The above stack-trace spam was trivially and consistently reproducible.

Confirmed also on Ubuntu 10.4 - 1.7.2p1-1ubuntu5.2 . Changing the file rights from 644 to 440 "fixed" it.

Carlos Perelló Marín (carlos) wrote :

How do you change the file rights if sudo doesn't work nor you have a root password set nor you have direct access to the server to reboot into single mode?

IMHO, this bug should be set as CRITICAL, given that you are "banned" from administrate a remote server.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Keith Baker (keibak) wrote :

Just happened to me on a fresh and updated lucid server installation.

This is really annoying since the server was a plain router. No keyboard or monitor was connected.

Keith Baker (keibak) wrote :

Tried same thing on desktop version of natty. There the problem seems fixed.

Still I'd consider this bug critical since lucid is the current long-term-support version.

tags: added: lucid
Jason R. Coombs (jaraco) wrote :

I've just been bitten by this bug yet again. I've had to request to my administrator to reboot our server into recovery mode to remove the file. Why isn't a bug that locks administrators out of the operating system (in an otherwise well-configured environment) not considered a critical bug? The only workaround I can think of is to know in advance that creating a file in /etc/sudoers.d might cause lockouts, so keep a separate shell as root... but I don't always remember to do that.

I would be grateful if someone would please fix this.

Steve Langasek (vorlon) wrote :

This bug appears to be fixed in precise. A message is output about the wrong permissions, but sudo itself works correctly.

Changed in sudo (Ubuntu):
status: Confirmed → Fix Released
Jason R. Coombs (jaraco) wrote :

Has Ubuntu changed its meaning of LTS? This issue still exists in Lucid.

Keith Baker already pointed out that the issue was fixed at least as early as Natty. Can we get the fix back-ported to Lucid? Is there any reason this shouldn't be considered critical as it can lock out legitimate administrative users with no workaround except to run recovery (in some scenarios)?

I have been hit by this bug and it's *extremely nasty*. I am instantly locked out of my system with no way of fixing it.

Things like these MUST NOT happen. I get from this bugreport that there is a fix.

BACKPORT THIS FIX TO LUCID!

Marc Deslauriers (mdeslaur) wrote :
Changed in sudo (Ubuntu Lucid):
status: New → Confirmed
description: updated
description: updated

Hello Daniel, or anyone else affected,

Accepted sudo into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Lucid):
status: Confirmed → Fix Committed
tags: added: verification-needed
Bartosz Kosiorek (gang65) wrote :

After installing sudo package from proposed, there is no longer crash:

sudo ls
sudo: /etc/sudoers.d/mama is mode 0644, should be 0440
>>> /etc/sudoers.d/README: /etc/sudoers.d/mama near line 18 <<<
sudo: parse error in /etc/sudoers.d/README near line 18
sudo: no valid sudoers sources found, quitting

Verified.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.2p1-1ubuntu5.5

---------------
sudo (1.7.2p1-1ubuntu5.5) lucid-proposed; urgency=low

  * toke.{cl}: avoid duplicate fclose() of the sudoers file (LP: #553786)
    - http://www.sudo.ws/repos/sudo/rev/164d39108dde
 -- Marc Deslauriers <email address hidden> Thu, 22 Nov 2012 16:08:01 -0500

Changed in sudo (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers