illumos gate

In libidmap, the idmap cache '{gid/uid}2sid_winname' contains entries that can have either a SID or winname (or both). These entries also contain TTLs for the sid and winname, which are meant to be non-zero only when the corresponding item is non-NULL.
idmap_cache_lookup_winnameby{uid/gid}() looks up an entry in idmap_cache.uid2sid_winname and checks whether winname_ttl is greater than the current time before strdup()'ing winname. This usually works, because the idmap_cache_add_{sid/winname}2{uid/gid}() functions set one of these pairs to non-NULL/non-zero, and the other to NULL/zero.

However, the idmap_cache_add_sid2pid() function forgets to set winname_ttl to 0, even though it sets winname to NULL. This leaves winname_ttl uninitialized. If the program later calls idmap_getwinnamebypid() with IDMAP_REQ_FLG_USE_CACHE set in the flag argument, and if this uninitialized memory was set to a value greater than the time at which this function is called, idmap_cache_lookup_winnameby{uid/gid}() will strdup(NULL), causing a segfault.

The attached program can be built and used to reproduce this/test the fix. Simply run "./idmap-test S-1-5-32-544".

Testing was done with the reproduction program.