[SunHELP] SUN bug reports ?

DAUBIGNE Sebastien - BOR sunhelp at sunhelp.org
Mon Nov 5 12:16:00 CST 2001 

Hi,

I'm running Solaris 2.6.

Basically my question is : Does any bug report facility exist for Sun
Solaris ?
I must presice "bug report" instead of "hotline" (something like sending an
email
to "solaris2.6-bugreport at sun.com"). 

I was facing a bug in "login" when I try to login in a account whose 
password has expired (through the "password aging" facility).
In this situation, login said "choose a new password" but it crashed 
(SIGSEGV caught) and telnetd closed the connection.

# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: user1
Password: 
Choose a new password.
Disconnected from iris.

(Well, the user1 can't actually choose a new password as you see).

Finally I found the source of the bug : a misconfigured /etc/shadow entry, 
combined  with a bug in "login":

user1:6ARTtEO5peUOQ:11543:5:90:7

This entry is wrong according to the "shadow" manpage, which specifies a 
9 fiels entry, so I added the 3 remaining blank fields :

user1:6ARTtEO5peUOQ:11543:5:90:7:::

After this correction, the problem was solved but I would have prefered
"login" 
to tell me what was wrong  instead of crashing.

The truth is that "login" has a bug, and tried to access a null pointer 
before catching SIGSEGV. As a proof, here is the "truss" output of the
crashed "login": 

27436/1:        write(1, " C h o o s e   a   n e w".., 23)      = 23
27436/1:        stat64("/usr/lib/security/pam_unix.so.1", 0xEFFFFC60) = 0
27436/1:        door_info(3, 0xEFFFACA0)                        = 0
27436/1:        door_call(3, 0xEFFFAC88)                        = 0
27436/1:        open("/etc/passwd", O_RDONLY)                   = 5
27436/1:        open("/etc/shadow", O_RDONLY)                   = 6
27436/1:        fstat64(5, 0xEFFF60B8)                          = 0
27436/1:        ioctl(5, TCGETA, 0xEFFF6044)                    Err#25
ENOTTY
27436/1:        read(5, " r o o t : x : 0 : 1 : S".., 8192)     = 3075
27436/1:        fstat64(6, 0xEFFF60B8)                          = 0
27436/1:        brk(0x0002EC18)                                 = 0
27436/1:        brk(0x00030C18)                                 = 0
27436/1:        ioctl(6, TCGETA, 0xEFFF6044)                    Err#25
ENOTTY
27436/1:        read(6, " r o o t : . 4 e z A W l".., 8192)     = 1831
27436/1:            Incurred fault #6, FLTBOUNDS  %pc = 0xEF605E54
27436/1:              siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
27436/1:            Received signal #11, SIGSEGV [default]
27436/1:              siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
27436/1:                *** process killed ***

As you can see, "login" didn't parse the /etc/shadow missing field and then
tried 
to access the resulting  null-pointer string. This is a bug as login didn't
detect the wrong 
shadow  entry (Trying to access a null pointer is always a bug, isn't it ?).

The usual  behaviour is to print a diagnostic message  (e.g. "invalid shadow
entry") 
either on the screen or through syslog,  and to exit normally.

Well, I searched in the sunsolve database, but did not find any patch
adressing this bug.
The only patchs adressing login and/or PAM stuff I found are :
105665-03,106257-05 
and 106271-08. I applied theses patchs, but they don't solve this particular
bug.

Now I would like to tell to SUN "Hey, there is an ugly bug in the Solaris
2.6 login, here are the 
facts, you'd better correct it", without using the SUN local Hotline, which
is always a time 
consuming task ("First apply the last recommended patchs cluster, and then
we'll try to help you").

As I'm not aware of any bug report facility, any suggestion will be
appreciated.

---
Sebastien DAUBIGNE 
sebastien.daubigne at sema.fr <mailto:sebastien.daubigne at sema.fr>  - (+33)
(0)5.57.26.56.36
Sema Global Services - AFM/DW/Pessac

More information about the SunHELP mailing list