<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Improper use of asprintf() in login/pam_systemd.c"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90017">90017</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Improper use of asprintf() in login/pam_systemd.c
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>archie.cobbs@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Reviewing this code:

   
<a href="https://github.com/systemd/systemd/blob/master/src/login/pam_systemd.c#L179-190">https://github.com/systemd/systemd/blob/master/src/login/pam_systemd.c#L179-190</a>

there appears to be a bug. Here is the code:

    #ifdef ENABLE_KDBUS
        _cleanup_free_ char *s = NULL;
        int r;

        /* skip export if kdbus is not active */
        if (access("/sys/fs/kdbus", F_OK) < 0)
                return PAM_SUCCESS;

        if (asprintf(&s, KERNEL_USER_BUS_ADDRESS_FMT ";"
UNIX_USER_BUS_ADDRESS_FMT, uid, runtime) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to set bus variable.");
                return PAM_BUF_ERR;
        }

The bug occurs if asprintf() fails. Since "s" is declared _cleanup_free, it
will be automatically free()'d when the function returns (right?).

However, there is no guarantee that "s" will still be equal to NULL at this
point, as the code incorrectly assumes.

Quoting the asprintf() man page:

    RETURN VALUE
       When successful, these functions return the number of bytes printed,
just like sprintf(3).
       If memory allocation wasn't possible, or some other error occurs, these
functions will return -1,
       and the contents of strp is undefined.
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is only one example; there could be arbitrarily many others in the systemd
codebase (I haven't looked).

In practice, this bug probably never happens, because I doubt that any actual
asprintf() implementations modify "s" on failure. But that's irrelevant to
whether this is a bug.

Personally I think it's stupid that POSIX allows asprintf() to modify *strp on
failure, but whatever, it's too late to fix that now.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>