#3687 KCM: Don't pass a non null terminated string to json_loads()

Created 2 months ago by fidencio
Modified 2 months ago

By doing this, the following issues can be seen when running sssd-kcm under valgrind:

==2638== Conditional jump or move depends on uninitialised value(s)
==2638==    at 0x57DB678: stream_get.part.3 (load.c:172)
==2638==    by 0x57DB9CA: stream_get (load.c:643)
==2638==    by 0x57DB9CA: lex_get (load.c:246)
==2638==    by 0x57DB9CA: lex_scan (load.c:601)
==2638==    by 0x57DC56A: parse_json.constprop.7 (load.c:904)
==2638==    by 0x57DC6AB: json_loads (load.c:959)
==2638==    by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
==2638==    by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
==2638==    by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
==2638==    by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
==2638==    by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)

This is one of the reasons that users weren't able to properly use KCM and by solving this should solve at least part of https://bugzilla.redhat.com/show_bug.cgi?id=1494843

NOTE: It's important to check whether the other 2 uses of json_loads() are using NULL terminated strings, otherwise they'd have to also be changed to use json_loadb() instead.

2 months ago

Metadata Update from @fidencio:
- Issue assigned to fidencio

2 months ago

Metadata Update from @fidencio:
- Issue tagged with: KCM

2 months ago

Metadata Update from @fidencio:
- Custom field patch adjusted to on

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2
- Issue tagged with: bug

I pushed PR #542 as a40c6b4 so that we can patch downstreams and avoid a crash while we medidate on what should the best option be.

I won't be closing this ticket as we only have a stop-gap and not a proper fix.

Login to comment on this ticket.