Skip Menu |
 

From hgm@lanl.gov Tue Oct 1 14:51:33 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP
id OAA09053; Tue, 1 Oct 2002 14:51:33 -0400 (EDT)
From: hgm@lanl.gov
Received: from mailrelay2.lanl.gov (mailrelay2.lanl.gov [128.165.4.103])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA07754
for <krb5-bugs@mit.edu>; Tue, 1 Oct 2002 14:51:32 -0400 (EDT)
Received: from moki.lanl.gov (localhost.localdomain [127.0.0.1])
by mailrelay2.lanl.gov (8.12.3/8.12.3/(ccn-5)) with ESMTP id g91IpWtv005823
for <krb5-bugs@mit.edu>; Tue, 1 Oct 2002 12:51:32 -0600
Received: (from root@localhost)
by moki.lanl.gov (8.9.3/8.9.3) id MAA21534;
Tue, 1 Oct 2002 12:51:20 -0600
Date: Tue, 1 Oct 2002 12:51:20 -0600
Message-Id: <200210011851.MAA21534@moki.lanl.gov>
To: krb5-bugs@mit.edu
Subject: krb5-clients
Reply-To: hgm@lanl.gov
X-send-pr-version: 3.99


Show quoted text
>Submitter-Id: net
>Originator: Harry G. McGavran Jr.
>Organization:
Los Alamos National Laboratory
Show quoted text
>Confidential: no
>Synopsis: kinit -k -t segfaults
>Severity: critical
>Priority: high
>Category: krb5-clients
>Class: sw-bug
>Release: krb5-1.2.6
>Environment:
Linux, all flavors
System: Linux moki 2.2.21 #1 Mon Jul 1 11:10:05 MDT 2002 i686 unknown
Architecture: i686

Show quoted text
>Description:
kinit with a keytab file seg faults (kinit -k -t file principal)
Show quoted text
>How-To-Repeat:
kinit -k -t file principal
Show quoted text
>Fix:
We patched our krb5-1.2.6 source tree with:
*** ./src/lib/krb5/krb/gic_keytab.c.orig Tue Apr 11 15:43:17 2000
--- ./src/lib/krb5/krb/gic_keytab.c Mon Sep 30 13:30:39 2002
***************
*** 25,31 ****
--- 25,39 ----
if (as_key->enctype == etype)
return(0);

+ #ifndef LANL
krb5_free_keyblock(context, as_key);
+ #else /* LANL */
+ /* krb5_free_keyblock frees as_key above and that is a local variable declared
+ * in krb5_get_init_creds() and used below as well, so it should NOT be
+ * freed, only the contents can be freed.
+ */
+ krb5_free_keyblock_contents(context, as_key);
+ #endif /* LANL */
as_key->length = 0;
}

To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1203] kinit -k -t segfaults
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 03 Oct 2002 23:26:51 -0400
RT-Send-Cc:
Do you believe that patch actually should solve the problem? If so,
why/how?
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #1203] Cannot reproduce problem
Date: Thu, 3 Oct 2002 23:29:49 -0400 (EDT)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

luminous:/home/hartmans# kinit -k -t /etc/krb5.keytab host/luminous.mit.edu@SUCHDAMAGE.ORG
luminous:/home/hartmans# klist -5
Ticket cache: FILE:/tmp/krb5cc_1000_fX9Nev
Default principal: host/luminous.mit.edu@SUCHDAMAGE.ORG

Valid starting Expires Service principal
10/03/02 23:28:25 10/04/02 09:28:25 krbtgt/SUCHDAMAGE.ORG@SUCHDAMAGE.ORG
luminous:/home/hartmans#

That's with krb5 1.2.5-3 on Debian; none of the Debian patches come close to this code.
To: rt-comment@krbdev.mit.edu
Cc: ggrider@lanl.gov
Subject: Re: [krbdev.mit.edu #1203] kinit -k -t segfaults
Date: Fri, 04 Oct 2002 09:05:27 -0600
From: "Harry G. McGavran Jr." <hgm@lanl.gov>
RT-Send-Cc:
On Thu, 3 Oct 2002 23:27:24 -0400 (EDT) "Sam Hartman via RT" wrote:
Show quoted text
> Do you believe that patch actually should solve the problem? If so,
> why/how?
>
>

I presume the contents of the as structure are malloced whereas the as
structure itself is a local variable declared in a calling routine.
It seemed to fix the segfaults we were getting. I never claimed that
this was THE fix, only that it fixed the problem we saw. If you have
a better fix great, but it needs fixing!

Harry
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1203] kinit -k -t segfaults
Date: Fri, 04 Oct 2002 09:17:04 -0600
From: "Harry G. McGavran Jr." <hgm@lanl.gov>
RT-Send-Cc:
On Thu, 3 Oct 2002 23:27:24 -0400 (EDT) "Sam Hartman via RT" wrote:
Show quoted text
> Do you believe that patch actually should solve the problem? If so,
> why/how?
>
>

BTW:

With regard to my previous reply to this question, what put
me on to the patch that seems to fix it for us was that a gdb
on the core file that results without the patch shows the segfault
in free(). It segfaults on libc5 linux platforms.

The comment in the patch names the routine where the structure that's
freed is delcared as a local variable. It seems that freeing local
variables is asking for trouble.

Harry
Subject: kinit -k -t segfaults
Download (untitled) / with headers
text/plain 1.3KiB
[hgm@lanl.gov - Fri Oct 4 11:17:08 2002]:

Show quoted text
> On Thu, 3 Oct 2002 23:27:24 -0400 (EDT) "Sam Hartman via RT" wrote:
> > Do you believe that patch actually should solve the problem? If so,
> > why/how?
> >
> >
>
> BTW:
>
> With regard to my previous reply to this question, what put
> me on to the patch that seems to fix it for us was that a gdb
> on the core file that results without the patch shows the segfault
> in free(). It segfaults on libc5 linux platforms.
>
> The comment in the patch names the routine where the structure that's
> freed is delcared as a local variable. It seems that freeing local
> variables is asking for trouble.
>
> Harry


Here is an updated patch for the double-free. The old libc5 box I found
did not have any core dumps after applying it.

--- ./src/lib/krb5/krb/gic_keytab.c.LANL_doublefreefix Tue Apr 11
15:43:17 2000+++ ./src/lib/krb5/krb/gic_keytab.c Tue Oct 1 11:55:32
2002
@@ -25,7 +25,13 @@
if (as_key->enctype == etype)
return(0);

- krb5_free_keyblock(context, as_key);
+ /* krb5_free_keyblock frees as_key above and that is a local
+ * variable declaree in krb5_get_init_creds() and used below as
+ * well, so it should NOT be freed, only the contents can be
+ * freed. [Harry G McGavran hgm@lanl.gov]
+ */
+
+ krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}

Discovered independently and fixed on trunk prior to 1.3 branch cut;
will be in 1.3 release.