NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lib/57631: pam_krb5.so seemingly randomly segfaults post the June update
>Number: 57631
>Category: lib
>Synopsis: pam_krb5.so seemingly randomly segfaults post the June update
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 27 04:35:00 +0000 2023
>Originator: Mark Davies
>Release: NetBSD 10.0_BETA
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 10.0_BETA NetBSD 10.0_BETA (GENERIC) #0: Mon Sep 18 14:53:06 NZST 2023 mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
On a system configured to authenticate via kerberos with a pam_krb5.so.4 that incorporates the
changes made in June both dovecot's auth and saslauthd (configured to do pam, and pam to do pam_krb5)
would get segmentation faults processing some connections while others (giving the same credentials)
would succeed.
Leaving everything else the same but reverting the June change to pam_krb5.c eliminates the problem.
Feels like some kind of use after free, but I can't spot the precise issue.
Stack traces from some saslauthd cores are below:
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
(gdb) where
#0 quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
#1 0x0000736565442cc0 in unparse_name_fixed (context=context@entry=0x736565752000, principal=0x7365656dd5a0,
name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256, flags=flags@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:457
#2 0x0000736565443569 in krb5_unparse_name_fixed (context=context@entry=0x736565752000,
principal=<optimized out>, name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:507
#3 0x00007365654429ec in krb5_error_from_rd_error (context=context@entry=0x736565752000,
error=error@entry=0x7365657b7da0, creds=creds@entry=0x7365657b7c08)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/rd_error.c:86
#4 0x000073656542cf22 in krb5_init_creds_step (context=context@entry=0x736565752000,
ctx=ctx@entry=0x7365657b7c00, in=in@entry=0x7f7fff070640, out=out@entry=0x7f7fff070650,
hostinfo=hostinfo@entry=0x0, flags=flags@entry=0x7f7fff070634)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2334
#5 0x000073656542de98 in krb5_init_creds_get (context=context@entry=0x736565752000, ctx=0x7365657b7c00)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2634
#6 0x000073656542b963 in krb5_get_init_creds_password (context=0x736565752000, creds=0x7f7fff071110,
client=0x7365656ddb20, password=0x7365657ea110 "xxxxxxxxxxxx", prompter=0x0, data=0x7365657f2000,
start_time=0, in_tkt_service=<optimized out>, options=0x736565789180)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2728
#7 0x000073656020279b in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#8 0x0000736563804cee in openpam_dispatch (pamh=pamh@entry=0x7365657f2000, primitive=primitive@entry=0,
flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9 0x0000736563803e66 in pam_authenticate (pamh=0x7365657f2000, flags=<optimized out>)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#10 0x000000019e203ca9 in ?? ()
#11 0x000000019e2083cc in ?? ()
#12 0x000000019e20758d in ?? ()
#13 0x000000019e207c8c in ?? ()
#14 0x000000019e20a1ab in ?? ()
#15 0x000000019e202edd in ?? ()
#16 0x00007f7f3840bbb8 in ?? () from /usr/libexec/ld.elf_so
#17 0x0000000000000003 in ?? ()
#18 0x00007f7fff0729f0 in ?? ()
#19 0x00007f7fff072a08 in ?? ()
#20 0x00007f7fff072a0b in ?? ()
#21 0x0000000000000000 in ?? ()
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1 0x0000796d85cbbb4b in _strdup (str=0x736d6c616572 <error: Cannot access memory at address 0x736d6c616572>)
at /src/work/10/src/lib/libc/string/strdup.c:60
#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a61390)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3 0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
at asn1_krb5_asn1.c:1019
#4 0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
at asn1_krb5_asn1.c:1160
#5 0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000, inprinc=0x796d887d49a0,
outprinc=outprinc@entry=0x7f7fffbc60d8)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6 0x0000796d88447efd in mcc_get_principal (context=0x796d88764000, id=<optimized out>, principal=0x7f7fffbc60d8)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:329
#7 0x0000796d83203bb9 in pam_sm_chauthtok () from /usr/lib/security/pam_krb5.so.4
#8 0x0000796d86804cee in openpam_dispatch (pamh=0x796d88a61350, primitive=-2005468800, flags=-2147483648)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9 0x00000000eba03cbe in ?? ()
#10 0x00007f7fffbc6210 in ?? ()
#11 0x0000796d88a48000 in ?? ()
#12 0x00000000eba03a02 in ?? ()
#13 0x00007f7f5800800e in _rtld_symlook_obj_matched_symbol (vcount=<synthetic pointer>, vsymp=<synthetic pointer>,
symnum=133511350964291, ventry=0xeba083cc, flags=<optimized out>, obj=0x7f7fffbc6800,
name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:186
#14 _rtld_symlook_obj_sysv (ventry=<optimized out>, flags=<optimized out>, obj=0x7f7fffbc6800,
hash=<optimized out>, name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:308
#15 _rtld_symlook_obj (name=0x7f7fffbc64d0 "rarnold", hash=<optimized out>, obj=0x7f7fffbc6800,
flags=<optimized out>, ventry=0xeba083cc) at /src/work/10/src/libexec/ld.elf_so/symbol.c:391
#16 0x00007f7f00000000 in ?? ()
#17 0x0000000000000000 in ?? ()
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1 0x0000796d85cbbb4b in _strdup (str=0x74677462726b <error: Cannot access memory at address 0x74677462726b>)
at /src/work/10/src/lib/libc/string/strdup.c:60
#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a613b0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3 0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
at asn1_krb5_asn1.c:1019
#4 0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
at asn1_krb5_asn1.c:1160
#5 0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000,
inprinc=inprinc@entry=0x796d887d4c00, outprinc=outprinc@entry=0x796d8875d5c0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6 0x0000796d88448587 in mcc_initialize (context=0x796d88764000, id=<optimized out>,
primary_principal=0x796d887d4c00) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:209
#7 0x0000796d884654db in krb5_cc_initialize (context=<optimized out>, id=0x796d887d4b20,
primary_principal=<optimized out>) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/cache.c:677
#8 0x0000796d8320284a in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#9 0x0000796d86804cee in openpam_dispatch (pamh=pamh@entry=0x796d88a48000, primitive=primitive@entry=0,
flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#10 0x0000796d86803e66 in pam_authenticate (pamh=0x796d88a48000, flags=<optimized out>)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#11 0x00000000eba03ca9 in ?? ()
#12 0x00007f7fffbc6210 in ?? ()
#13 0x0000796d88a48000 in ?? ()
#14 0x00000000eba03a02 in ?? ()
#15 0x0000000000000000 in ?? ()
>How-To-Repeat:
On a system using kerberos for authentication,
run 'saslauthd -a pam'
loop running testsaslauthd with valid username/password until you observe a failed invocation
and note associated saslauthd.core produced.
smb2# while ( 1 )
while? testsaslauthd -u validusername -p validpassword
while? end
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: size read failed
0: 0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: connect() : Connection refused
smb2# ls -l /var/run/saslauthd/
total 1426
srwxrwxrwx 1 root wheel 0 Sep 27 16:56 mux
-rw------- 1 root wheel 0 Sep 27 16:56 mux.accept
-rw------- 1 root wheel 1435424 Sep 27 16:57 saslauthd.core
-rw------- 1 root wheel 6 Sep 27 16:56 saslauthd.pid
>Fix:
unknown
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index