slurm/pam_slurm-Initialize-arrays-and-pass-sizes.patch

From d51d3e1db8b2ed650a042352eff041ae77e467f9 Mon Sep 17 00:00:00 2001
From: Egbert Eich <eich@suse.com>
Date: Mon, 20 Feb 2023 21:29:27 +0100
Subject: [PATCH] pam_slurm: Initialize arrays and pass sizes

PAM is security critical:
- clear arrays
- ensure strings are NULL-terminated.

Signed-off-by: Egbert Eich <eich@suse.com>
Originally-from: Sebastian Krahmer <krahmer@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
 contribs/pam/pam_slurm.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/contribs/pam/pam_slurm.c b/contribs/pam/pam_slurm.c
index a27e651548..eac9879c07 100644
--- a/contribs/pam/pam_slurm.c
+++ b/contribs/pam/pam_slurm.c
@@ -279,9 +279,9 @@ static int
 _gethostname_short (char *name, size_t len)
 {
 	int error_code, name_len;
-	char *dot_ptr, path_name[1024];
+	char *dot_ptr, path_name[1024] = {0};
 
-	error_code = gethostname(path_name, sizeof(path_name));
+	error_code = gethostname(path_name, sizeof(path_name) - 1);
 	if (error_code)
 		return error_code;
 
@@ -309,13 +309,13 @@ static int
 _slurm_match_allocation(uid_t uid)
 {
 	int authorized = 0, i;
-	char hostname[HOST_NAME_MAX];
+	char hostname[HOST_NAME_MAX] = {0};
 	char *nodename = NULL;
 	job_info_msg_t * msg;
 
 	slurm_init(NULL);
 
-	if (_gethostname_short(hostname, sizeof(hostname)) < 0) {
+	if (_gethostname_short(hostname, sizeof(hostname) - 1) < 0) {
 		_log_msg(LOG_ERR, "gethostname: %m");
 		return 0;
 	}
@@ -438,7 +438,7 @@ _send_denial_msg(pam_handle_t *pamh, struct _options *opts,
  */
 extern void libpam_slurm_init (void)
 {
-	char libslurmname[64];
+	char libslurmname[64] = {0};
 
 	if (slurm_h)
 		return;
@@ -446,10 +446,10 @@ extern void libpam_slurm_init (void)
 	/* First try to use the same libslurm version ("libslurm.so.24.0.0"),
 	 * Second try to match the major version number ("libslurm.so.24"),
 	 * Otherwise use "libslurm.so" */
-	if (snprintf(libslurmname, sizeof(libslurmname),
+	if (snprintf(libslurmname, sizeof(libslurmname) - 1,
 			"libslurm.so.%d.%d.%d", SLURM_API_CURRENT,
 			SLURM_API_REVISION, SLURM_API_AGE) >=
-			sizeof(libslurmname) ) {
+			sizeof(libslurmname) - 1) {
 		_log_msg (LOG_ERR, "Unable to write libslurmname\n");
 	} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW|RTLD_GLOBAL))) {
 		return;
@@ -458,8 +458,10 @@ extern void libpam_slurm_init (void)
 			libslurmname, dlerror ());
 	}
 
-	if (snprintf(libslurmname, sizeof(libslurmname), "libslurm.so.%d",
-			SLURM_API_CURRENT) >= sizeof(libslurmname) ) {
+	memset(libslurmname, 0, sizeof(libslurmname));
+
+	if (snprintf(libslurmname, sizeof(libslurmname) - 1, "libslurm.so.%d",
+			SLURM_API_CURRENT) >= sizeof(libslurmname) - 1) {
 		_log_msg (LOG_ERR, "Unable to write libslurmname\n");
 	} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW|RTLD_GLOBAL))) {
 		return;
-- 
2.42.1
- Fix testsuite: Cater for erroneous: `#include </src/[slurm_internal_header]>` statements. OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=304 2025-01-09 16:43:36 +01:00			`From d51d3e1db8b2ed650a042352eff041ae77e467f9 Mon Sep 17 00:00:00 2001`
			`From: Egbert Eich <eich@suse.com>`
			`Date: Mon, 20 Feb 2023 21:29:27 +0100`
			`Subject: [PATCH] pam_slurm: Initialize arrays and pass sizes`

			`PAM is security critical:`
			`- clear arrays`
			`- ensure strings are NULL-terminated.`

			`Signed-off-by: Egbert Eich <eich@suse.com>`
			`Originally-from: Sebastian Krahmer <krahmer@suse.com>`
			`Signed-off-by: Egbert Eich <eich@suse.de>`
			`---`
			`contribs/pam/pam_slurm.c \| 20 +++++++++++---------`
			`1 file changed, 11 insertions(+), 9 deletions(-)`

			`diff --git a/contribs/pam/pam_slurm.c b/contribs/pam/pam_slurm.c`
			`index a27e651548..eac9879c07 100644`
			`--- a/contribs/pam/pam_slurm.c`
			`+++ b/contribs/pam/pam_slurm.c`
			`@@ -279,9 +279,9 @@ static int`
			`_gethostname_short (char *name, size_t len)`
			`{`
			`int error_code, name_len;`
			`- char *dot_ptr, path_name[1024];`
			`+ char *dot_ptr, path_name[1024] = {0};`

			`- error_code = gethostname(path_name, sizeof(path_name));`
			`+ error_code = gethostname(path_name, sizeof(path_name) - 1);`
			`if (error_code)`
			`return error_code;`

			`@@ -309,13 +309,13 @@ static int`
			`_slurm_match_allocation(uid_t uid)`
			`{`
			`int authorized = 0, i;`
			`- char hostname[HOST_NAME_MAX];`
			`+ char hostname[HOST_NAME_MAX] = {0};`
			`char *nodename = NULL;`
			`job_info_msg_t * msg;`

			`slurm_init(NULL);`

			`- if (_gethostname_short(hostname, sizeof(hostname)) < 0) {`
			`+ if (_gethostname_short(hostname, sizeof(hostname) - 1) < 0) {`
			`_log_msg(LOG_ERR, "gethostname: %m");`
			`return 0;`
			`}`
			`@@ -438,7 +438,7 @@ _send_denial_msg(pam_handle_t pamh, struct _options opts,`
			`*/`
			`extern void libpam_slurm_init (void)`
			`{`
			`- char libslurmname[64];`
			`+ char libslurmname[64] = {0};`

			`if (slurm_h)`
			`return;`
			`@@ -446,10 +446,10 @@ extern void libpam_slurm_init (void)`
			`/* First try to use the same libslurm version ("libslurm.so.24.0.0"),`
			`* Second try to match the major version number ("libslurm.so.24"),`
			`* Otherwise use "libslurm.so" */`
			`- if (snprintf(libslurmname, sizeof(libslurmname),`
			`+ if (snprintf(libslurmname, sizeof(libslurmname) - 1,`
			`"libslurm.so.%d.%d.%d", SLURM_API_CURRENT,`
			`SLURM_API_REVISION, SLURM_API_AGE) >=`
			`- sizeof(libslurmname) ) {`
			`+ sizeof(libslurmname) - 1) {`
			`_log_msg (LOG_ERR, "Unable to write libslurmname\n");`
			`} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW\|RTLD_GLOBAL))) {`
			`return;`
			`@@ -458,8 +458,10 @@ extern void libpam_slurm_init (void)`
			`libslurmname, dlerror ());`
			`}`

			`- if (snprintf(libslurmname, sizeof(libslurmname), "libslurm.so.%d",`
			`- SLURM_API_CURRENT) >= sizeof(libslurmname) ) {`
			`+ memset(libslurmname, 0, sizeof(libslurmname));`
			`+`
			`+ if (snprintf(libslurmname, sizeof(libslurmname) - 1, "libslurm.so.%d",`
			`+ SLURM_API_CURRENT) >= sizeof(libslurmname) - 1) {`
			`_log_msg (LOG_ERR, "Unable to write libslurmname\n");`
			`} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW\|RTLD_GLOBAL))) {`
			`return;`
			`--`
			`2.42.1`