Merge sudo 1.9.11p2 from tip.

--HG--
branch : 1.9

NEWS

@@ -1,3 +1,10 @@
+What's new in Sudo 1.9.11p2
+
+ * Fixed a compilation error on Linux/x86_64 with the x32 ABI.
+
+ * Fixed a regression introduced in 1.9.11p1 that caused a warning
+   when logging to sudo_logsrvd if the command returned no output.
+
 What's new in Sudo 1.9.11p1
 
  * Correctly handle EAGAIN in the I/O read/right events.  This fixes

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for sudo 1.9.11p1.
+# Generated by GNU Autoconf 2.71 for sudo 1.9.11p2.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.11p1'
+PACKAGE_VERSION='1.9.11p2'
-PACKAGE_STRING='sudo 1.9.11p1'
+PACKAGE_STRING='sudo 1.9.11p2'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -1640,7 +1640,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.9.11p1 to adapt to many kinds of systems.
+\`configure' configures sudo 1.9.11p2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1706,7 +1706,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.11p1:";;
+     short | recursive ) echo "Configuration of sudo 1.9.11p2:";;
    esac
   cat <<\_ACEOF
 
@@ -1996,7 +1996,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.11p1
+sudo configure 1.9.11p2
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2653,7 +2653,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.11p1, which was
+It was created by sudo $as_me 1.9.11p2, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -33050,7 +33050,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.11p1, which was
+This file was extended by sudo $as_me 1.9.11p2, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -33118,7 +33118,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-sudo config.status 1.9.11p1
+sudo config.status 1.9.11p2
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dnl
 AC_PREREQ([2.70])
-AC_INIT([sudo], [1.9.11p1], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.11p2], [https://bugzilla.sudo.ws/], [sudo])
 AC_CONFIG_HEADERS([config.h pathnames.h])
 AC_CONFIG_SRCDIR([src/sudo.c])
 AC_CONFIG_AUX_DIR([scripts])

include/sudo_compat.h

@@ -157,7 +157,7 @@
 #endif
 
 #if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX
-# define SIZE_MAX	LONG_MAX
+# define SSIZE_MAX	LONG_MAX
 #endif
 
 #if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX

lib/protobuf-c/protobuf-c.c

@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member,
 			return FALSE;
 
 		def_mess = scanned_member->field->default_value;
-		if (len > pref_len) {
+		if (len >= pref_len) {
 			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
 							 allocator,
 							 len - pref_len,

plugins/sudoers/audit.c

@@ -158,6 +158,8 @@ sudoers_audit_open(unsigned int version, sudo_conv_t conversation,
 
     sudo_conv = conversation;
     sudo_printf = plugin_printf;
+    if (sudoers_audit.event_alloc != NULL)
+	plugin_event_alloc = sudoers_audit.event_alloc;
 
     bindtextdomain("sudoers", LOCALEDIR);
 
@@ -284,7 +286,7 @@ log_server_accept(struct eventlog *evlog)
 
 	/* Open connection to log server, send hello and accept messages. */
 	client_closure = log_server_open(&audit_details, &now, false,
-	    SEND_ACCEPT, NULL, sudoers_audit.event_alloc);
+	    SEND_ACCEPT, NULL);
 	if (client_closure != NULL)
 	    ret = true;
     }
@@ -391,7 +393,7 @@ sudoers_audit_reject(const char *plugin_name, unsigned int plugin_type,
     if (!eventlog_reject(&evlog, 0, message, NULL, NULL))
 	ret = false;
 
-    if (!log_server_reject(&evlog, message, sudoers_audit.event_alloc))
+    if (!log_server_reject(&evlog, message))
 	ret = false;
 
     debug_return_int(ret);
@@ -424,8 +426,7 @@ sudoers_audit_error(const char *plugin_name, unsigned int plugin_type,
     if (!eventlog_alert(&evlog, 0, &now, message, NULL))
 	ret = false;
 
-    if (!log_server_alert(&evlog, &now, message, NULL,
+    if (!log_server_alert(&evlog, &now, message, NULL))
-	    sudoers_audit.event_alloc))
 	ret = false;
 
     debug_return_int(ret);

plugins/sudoers/env.c

@@ -986,7 +986,7 @@ rebuild_env(void)
 	 * env_check.
 	 */
 	for (ep = env.old_envp; *ep; ep++) {
-	    /* Add variable unless it matches a black list. */
+	    /* Add variable unless it matches a blocklist. */
 	    if (!env_should_delete(*ep)) {
 		if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
 		    ps1 = *ep + 5;

plugins/sudoers/iolog.c

@@ -745,7 +745,7 @@ sudoers_io_open_remote(struct timespec *now)
 
     /* Open connection to log server, send hello and accept messages. */
     client_closure = log_server_open(&iolog_details, now, true, SEND_ACCEPT,
-	NULL, sudoers_io.event_alloc);
+	NULL);
     if (client_closure != NULL)
 	debug_return_int(1);
 
@@ -768,6 +768,8 @@ sudoers_io_open(unsigned int version, sudo_conv_t conversation,
 
     sudo_conv = conversation;
     sudo_printf = plugin_printf;
+    if (sudoers_io.event_alloc != NULL)
+	plugin_event_alloc = sudoers_io.event_alloc;
 
     bindtextdomain("sudoers", LOCALEDIR);
 
@@ -1329,7 +1331,7 @@ sudoers_io_setops(void)
     debug_decl(sudoers_io_setops, SUDOERS_DEBUG_PLUGIN);
 
 #ifdef SUDOERS_LOG_CLIENT
-    if (sudoers_io.event_alloc != NULL && iolog_details.log_servers != NULL) {
+    if (plugin_event_alloc != NULL && iolog_details.log_servers != NULL) {
 	io_operations.open = sudoers_io_open_remote;
 	io_operations.close = sudoers_io_close_remote;
 	io_operations.log = sudoers_io_log_remote;

plugins/sudoers/log_client.c

@@ -1964,12 +1964,17 @@ bad:
  */
 static struct client_closure *
 client_closure_alloc(struct log_details *details, struct timespec *now,
-    bool log_io, enum client_state initial_state, const char *reason,
+    bool log_io, enum client_state initial_state, const char *reason)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     struct client_closure *closure;
     debug_decl(client_closure_alloc, SUDOERS_DEBUG_UTIL);
 
+    if (plugin_event_alloc == NULL) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+	    "plugin_event_alloc is not set");
+	debug_return_ptr(NULL);
+    }
+
     if ((closure = calloc(1, sizeof(*closure))) == NULL)
         goto oom;
 
@@ -1990,10 +1995,10 @@ client_closure_alloc(struct log_details *details, struct timespec *now,
     if (closure->read_buf.data == NULL)
 	goto oom;
 
-    if ((closure->read_ev = event_alloc()) == NULL)
+    if ((closure->read_ev = plugin_event_alloc()) == NULL)
 	goto oom;
 
-    if ((closure->write_ev = event_alloc()) == NULL)
+    if ((closure->write_ev = plugin_event_alloc()) == NULL)
 	goto oom;
 
     closure->log_details = details;
@@ -2007,15 +2012,14 @@ oom:
 
 struct client_closure *
 log_server_open(struct log_details *details, struct timespec *now,
-    bool log_io, enum client_state initial_state, const char *reason,
+    bool log_io, enum client_state initial_state, const char *reason)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     struct client_closure *closure;
     static bool warned = false;
     debug_decl(log_server_open, SUDOERS_DEBUG_UTIL);
 
     closure = client_closure_alloc(details, now, log_io, initial_state,
-	reason, event_alloc);
+	reason);
     if (closure == NULL)
 	goto bad;
 

plugins/sudoers/log_client.h

@@ -106,7 +106,7 @@ struct client_closure {
 };
 
 /* iolog_client.c */
-struct client_closure *log_server_open(struct log_details *details, struct timespec *now, bool log_io, enum client_state initial_state, const char *reason, struct sudo_plugin_event * (*event_alloc)(void));
+struct client_closure *log_server_open(struct log_details *details, struct timespec *now, bool log_io, enum client_state initial_state, const char *reason);
 bool log_server_close(struct client_closure *closure, int exit_status, int error);
 bool fmt_client_message(struct client_closure *closure, ClientMessage *msg);
 bool fmt_accept_message(struct client_closure *closure, struct eventlog *evlog);

plugins/sudoers/logging.c

@@ -70,8 +70,6 @@ static struct parse_error_list parse_error_list =
 static bool should_mail(int);
 static bool warned = false;
 
-extern struct policy_plugin sudoers_policy;	/* XXX */
-
 #ifdef SUDOERS_LOG_CLIENT
 /*
  * Convert a defaults-style list to a stringlist.
@@ -129,8 +127,7 @@ init_log_details(struct log_details *details, struct eventlog *evlog)
 }
 
 bool
-log_server_reject(struct eventlog *evlog, const char *message,
+log_server_reject(struct eventlog *evlog, const char *message)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     bool ret = false;
     debug_decl(log_server_reject, SUDOERS_DEBUG_LOGGING);
@@ -160,7 +157,7 @@ log_server_reject(struct eventlog *evlog, const char *message,
 
 	/* Open connection to log server, send hello and reject messages. */
 	client_closure = log_server_open(&details, &sudo_user.submit_time,
-	    false, SEND_REJECT, message, event_alloc);
+	    false, SEND_REJECT, message);
 	if (client_closure != NULL) {
 	    client_closure_free(client_closure);
 	    client_closure = NULL;
@@ -177,8 +174,7 @@ done:
 
 bool
 log_server_alert(struct eventlog *evlog, struct timespec *now,
-    const char *message, const char *errstr,
+    const char *message, const char *errstr)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     struct log_details details;
     char *emessage = NULL;
@@ -217,7 +213,7 @@ log_server_alert(struct eventlog *evlog, struct timespec *now,
 
 	/* Open connection to log server, send hello and alert messages. */
 	client_closure = log_server_open(&details, now, false,
-	    SEND_ALERT, emessage ? emessage : message, event_alloc);
+	    SEND_ALERT, emessage ? emessage : message);
 	if (client_closure != NULL) {
 	    client_closure_free(client_closure);
 	    client_closure = NULL;
@@ -234,16 +230,14 @@ done:
 }
 #else
 bool
-log_server_reject(struct eventlog *evlog, const char *message,
+log_server_reject(struct eventlog *evlog, const char *message)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     return true;
 }
 
 bool
 log_server_alert(struct eventlog *evlog, struct timespec *now,
-    const char *message, const char *errstr,
+    const char *message, const char *errstr)
-    struct sudo_plugin_event * (*event_alloc)(void))
 {
     return true;
 }
@@ -258,7 +252,7 @@ log_reject(const char *message, bool logit, bool mailit)
     const char *uuid_str = NULL;
     struct eventlog evlog;
     int evl_flags = 0;
-    bool ret = true;
+    bool ret;
     debug_decl(log_reject, SUDOERS_DEBUG_LOGGING);
 
     if (!ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
@@ -270,10 +264,8 @@ log_reject(const char *message, bool logit, bool mailit)
 	    SET(evl_flags, EVLOG_MAIL_ONLY);
     }
     sudoers_to_eventlog(&evlog, NewArgv, env_get(), uuid_str);
-    if (!eventlog_reject(&evlog, evl_flags, message, NULL, NULL))
+    ret = eventlog_reject(&evlog, evl_flags, message, NULL, NULL);
-	ret = false;
+    if (!log_server_reject(&evlog, message))
-
-    if (!log_server_reject(&evlog, message, sudoers_policy.event_alloc))
 	ret = false;
 
     debug_return_bool(ret);
@@ -705,9 +697,7 @@ vlog_warning(int flags, int errnum, const char *fmt, va_list ap)
 	}
 	sudoers_to_eventlog(&evlog, NewArgv, env_get(), sudo_user.uuid_str);
 	eventlog_alert(&evlog, evl_flags, &now, message, errstr);
-
+	log_server_alert(&evlog, &now, message, errstr);
-	log_server_alert(&evlog, &now, message, errstr,
-	    sudoers_policy.event_alloc);
     }
 
     /*
@@ -836,10 +826,8 @@ mail_parse_errors(void)
     }
 
     ret = eventlog_alert(&evlog, evl_flags, &now, mailbody, NULL);
-    if (!log_server_alert(&evlog, &now, mailbody, NULL,
+    if (!log_server_alert(&evlog, &now, mailbody, NULL))
-	    sudoers_policy.event_alloc)) {
 	ret = false;
-    }
 
 done:
     free(mailbody);

plugins/sudoers/logging.h

@@ -78,8 +78,8 @@ bool log_exit_status(int exit_status);
 bool log_auth_failure(int status, unsigned int tries);
 bool log_denial(int status, bool inform_user);
 bool log_failure(int status, int flags);
-bool log_server_alert(struct eventlog *evlog, struct timespec *now, const char *message, const char *errstr, struct sudo_plugin_event * (*event_alloc)(void));
+bool log_server_alert(struct eventlog *evlog, struct timespec *now, const char *message, const char *errstr);
-bool log_server_reject(struct eventlog *evlog, const char *message, struct sudo_plugin_event * (*event_alloc)(void));
+bool log_server_reject(struct eventlog *evlog, const char *message);
 bool log_warning(int flags, const char *fmt, ...) __printflike(2, 3);
 bool log_warningx(int flags, const char *fmt, ...) __printflike(2, 3);
 bool gai_log_warning(int flags, int errnum, const char *fmt, ...) __printflike(3, 4);

plugins/sudoers/policy.c

@@ -54,6 +54,7 @@ static const char *interfaces_string;
 bool sudoers_recovery = true;
 sudo_conv_t sudo_conv;
 sudo_printf_t sudo_printf;
+struct sudo_plugin_event * (*plugin_event_alloc)(void);
 const char *path_ldap_conf = _PATH_LDAP_CONF;
 const char *path_ldap_secret = _PATH_LDAP_SECRET;
 static bool session_opened;
@@ -982,7 +983,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if ((command_info[info_len++] = sudo_new_key_val("runas_limitprivs", runas_limitprivs)) == NULL)
 	    goto oom;
     }
-#endif /* HAVE_SELINUX */
+#endif /* HAVE_PRIV_SET */
 
     /* Fill in exec environment info. */
     *(exec_args->argv) = argv;
@@ -1021,6 +1022,8 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
     sudo_version = version;
     sudo_conv = conversation;
     sudo_printf = plugin_printf;
+    if (sudoers_policy.event_alloc != NULL)
+	plugin_event_alloc = sudoers_policy.event_alloc;
 
     /* Plugin args are only specified for API version 1.2 and higher. */
     if (sudo_version < SUDO_API_MKVERSION(1, 2))

plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c

@@ -40,6 +40,7 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 sudo_printf_t sudo_printf;
 sudo_conv_t sudo_conv;
+struct sudo_plugin_event * (*plugin_event_alloc)(void);
 
 sudo_dso_public int main(int argc, char *argv[], char *envp[]);
 

plugins/sudoers/sudoers.h

@@ -428,6 +428,7 @@ extern uid_t timestamp_uid;
 extern gid_t timestamp_gid;
 extern sudo_conv_t sudo_conv;
 extern sudo_printf_t sudo_printf;
+extern struct sudo_plugin_event * (*plugin_event_alloc)(void);
 
 /* sudoers_debug.c */
 bool sudoers_debug_parse_flags(struct sudo_conf_debug_file_list *debug_files, const char *entry);

src/exec_ptrace.h

@@ -64,8 +64,10 @@
  */
 #if defined(__x86_64__)
 # define SECCOMP_AUDIT_ARCH	AUDIT_ARCH_X86_64
-# define X32_execve		__X32_SYSCALL_BIT + 520
+# ifndef __ILP32__
-# define X32_execveat		__X32_SYSCALL_BIT + 545
+#  define X32_execve		__X32_SYSCALL_BIT + 520
+#  define X32_execveat		__X32_SYSCALL_BIT + 545
+# endif
 # define sudo_pt_regs		struct user_regs_struct
 # define reg_syscall(x)		(x).orig_rax
 # define reg_retval(x)		(x).rax