Skip Menu |

Date: Tue, 12 Jan 2010 00:02:35 -0500
From: Chris <>
Subject: Segfault with unused pkinit
Download (untitled) / with headers
text/plain 1.7KiB
I have three kdc servers running 1.7. Every one of them goes down several
times a day with a segfault. Looking at the logs, the last thing I see every
time is "preauth pkinit failed to initialize: No realms configured correctly
for pkinit support".

I disabled pkinit when I compiled them, so I'm not entirely sure what is going
on there. It appears to be one person at a time who is doing something
unordinary, and failing over from one server to the next, and killing them off

Anyway, a back trace looks like this:

klog_com_err_proc (whoami=0xbfd2df4b "krb5kdc", code=-1765328141, format=0x0,
ap=0xbfd2bbac "�G\f\b0�ҿ") at logger.c:221
221 if ((((unsigned char) *format) > 0) && (((unsigned char) *format) <= 8)) {
(gdb) bt
#0 klog_com_err_proc (whoami=0xbfd2df4b "krb5kdc", code=-1765328141,
format=0x0, ap=0xbfd2bbac "�G\f\b0�ҿ") at logger.c:221
#1 0xb7e4e65a in com_err_va (whoami=0xbfd2df4b "krb5kdc", code=-1765328141,
fmt=0x0, ap=0xbfd2bbac "�G\f\b0�ҿ") at com_err.c:112
#2 0x080561c0 in kdc_err (call_context=0x8061ae8, code=-1765328141, fmt=0x0)
at main.c:121
#3 0x0804f2ee in process_tgs_req (pkt=0xbfd2d150, from=0xbfd2c048,
response=0xbfd2c044) at do_tgs_req.c:1161
#4 0x0804bf1b in dispatch (pkt=0xbfd2d150, from=0xbfd2c048,
response=0xbfd2c044) at dispatch.c:89
#5 0x080585ea in process_packet (conn=0x813a098, selflags=1) at network.c:1229
#6 0x080593a0 in listen_and_process () at network.c:1555
#7 0x08057359 in main (argc=1, argv=0xbfd2d394) at main.c:898

To me it looks like maybe kdc_err(kdc_context, retval, 0); at do_tgs_req.c:1161
accidentally passed what it wanted *format to equal, which was 0. Whatever the plan was for format, it doesn't seem to appreciate being dereferenced.
To: rt@krbdev.MIT.EDU
Subject: Re: [ #6636] Segfault with unused pkinit
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 12 Jan 2010 18:11:33 -0500
Thanks. This is a known vulnerability, and we have already issued a
patch and advisory. (ticket #6608, MITKRB5-SA-2009-003 CVE-2009-3295)
It will also be fixed in the upcoming 1.7.1 release. As far as we can
tell, it appears to have nothing (directly) to do with pkinit, despite
what you see in your logs.