pam: return error when PAM info item is unset

pam_fscrypt is crashing with a segfault in copyIntoSecret() when using Ctrl-C to interrupt a 'sudo' prompt. It is dereferencing a NULL pointer that is supposed point to the PAM_AUTHTOK item. The problem is that the Go code assumes pam_get_item() returns a non-success status if the item is unset, when actually it sets the data pointer to NULL and returns PAM_SUCCESS. Fix it by making pam.Handle.GetItem() return an error in that case.
author: Eric Biggers <ebiggers@google.com> 2018-03-24 23:21:29 -0700
committer: Eric Biggers <ebiggers3@gmail.com> 2018-03-24 23:50:36 -0700
commit: 81942ab75c02e720970d6af069e8b8cf3ef847bb (patch)
tree: 1df58e59595ea964928c57ae78136dd53e647d51
parent: 3ef69aaafcfe6df03097d9ebdc8e4c7f7516999b (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/pam/pam.go b/pam/pam.go
index bd15c38..0c2262e 100644
--- a/pam/pam.go
+++ b/pam/pam.go
@@ -120,12 +120,18 @@ func (h *Handle) GetString(name string) (string, error) {
 	return C.GoString((*C.char)(data)), nil
 }
 
-// GetItem retrieves a PAM information item. This a pointer directory to the
+// GetItem retrieves a PAM information item. This is a pointer directly to the
 // data, so it shouldn't be modified.
 func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) {
 	var data unsafe.Pointer
 	h.status = C.pam_get_item(h.handle, C.int(i), &data)
-	return data, h.err()
+	if err := h.err(); err != nil {
+		return nil, err
+	}
+	if data == nil {
+		return nil, errors.New("item not found")
+	}
+	return data, nil
 }
 
 // StartAsPamUser sets the effective privileges to that of the PAM user, and
author	Eric Biggers <ebiggers@google.com>	2018-03-24 23:21:29 -0700
committer	Eric Biggers <ebiggers3@gmail.com>	2018-03-24 23:50:36 -0700
commit	81942ab75c02e720970d6af069e8b8cf3ef847bb (patch)
tree	1df58e59595ea964928c57ae78136dd53e647d51
parent	3ef69aaafcfe6df03097d9ebdc8e4c7f7516999b (diff)