Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed integer overflows in day processing #885

Open
stoeckmann opened this issue Dec 30, 2023 · 0 comments
Open

Signed integer overflows in day processing #885

stoeckmann opened this issue Dec 30, 2023 · 0 comments

Comments

@stoeckmann
Copy link
Contributor

The day processing within shadow is prone to signed integer overflows, leading to undefined behavior with very large numbers.

See #876 for a possible solution.

Proof of Concept (for 64 bit systems):

  1. Compile and definitely use an sgetspent implementation which gets long parsing right (glibc does not)
ac_cv_func_getspnam=no \
ac_cv_func_sgetspent=no \
CFLAGS="-fsanitize=undefined" \
./configure --without-libpam
  1. Setup users with large shadow entries
# chage -m 10 user1
# chage -d 9223372036854775807 user1
# chage -M 10 user2
# chage -d 9223372036854775807 user2
# chage -M 10 user3
# chage -I 20 user3
# chage -d 9223372036854775807 user3
# chage -I 20 user4
# chage -W 1 user4
# chage -d 123 user4
# chage -M 9223372036854775807 user4
  1. Change password as user1
$ passwd
../../src/passwd.c:393:6: runtime error: signed integer overflow: 9223372036854775807 * 86400 cannot be represented in type 'long int'
  1. Run expiry as user2
$ expiry -c
../../lib/isexpired.c:97:28: runtime error: signed integer overflow: 9223372036854775807 + 10 cannot be represented in type 'long int'
  1. Run expiry as user3
$ expiry -c
../../lib/age.c:165:25: runtime error: signed integer overflow: 9223372036854775807 + 99999 cannot be represented in type 'long int'
../../lib/isexpired.c:75:32: runtime error: signed integer overflow: 9223372036854775807 + 99999 cannot be represented in type 'long int'
  1. Run expiry as user4
$ expiry -c
../../lib/age.c:165:25: runtime error: signed integer overflow: 123 + 9223372036854775807 cannot be represented in type 'long int'
../../lib/age.c:165:9: runtime error: signed integer overflow: -9223372036854775686 - 19709 cannot be represented in type 'long int'
../../lib/isexpired.c:75:32: runtime error: signed integer overflow: 123 + 9223372036854775807 cannot be represented in type 'long int'

The user1 password change should not be allowed because the minimum wait time since last change (in the future) is not reached yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant