Ticket History #9110: profile library null dereference when modifying empty profile

# Sun Jan 14 00:56:05 2024 <akallabeth@posteo.net> - Ticket created

From:	akallabeth@posteo.net
To:	krb5-bugs@mit.edu
Date:	Sat, 13 Jan 2024 13:00:48 +0000
Subject:	crash with SEGV if misconfigured realm

Download (untitled) / with headers
text/plain 301B

Hi,

I´ve received a bug report
https://github.com/FreeRDP/FreeRDP/issues/9766 and am fairly sure there
should not be a NULL pointer access but a proper check and error return
instead.

Stack traces are in referenced issue.

the version affected is mit-krb5-1.20.1 on a gentoo system.

regards

# Sun Jan 14 01:20:10 2024 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:

profile write functions crash on profile with no files

Download (untitled) / with headers
text/html 1.4KiB

Summarizing the linked bug report from our perspective:

* FreeRDP has a function krb5glue_get_init_creds(), which calls krb5_get_profile() and manipulates the resulting profile with several calls, beginning with profile_clear_relation().

* Per the stack trace, profile_clear_relation() calls rw_setup(), which dereferences a null pointer at line 40 because profile->first_file is null.

* The crash occurs when there is no /etc/krb5.conf.

I can easily reproduce this crash with the following code (run with the KRB5_CONFIG environment variable set to a nonexistent path):

#include <krb5.h>
#include <profile.h>

int main()
{
krb5_error_code ret;
krb5_context ctx;
profile_t prof;

if (krb5_init_context(&ctx))
return 1;
if (krb5_get_profile(ctx, &prof))
return 1;
profile_clear_relation(prof, NULL);
return 0;
}

A look at the code history suggests that this bug is long-standing, although I haven't tested against older releases.

# Sun Jan 14 01:20:10 2024 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'open'

# Mon Apr 01 12:59:06 2024 ghudson@mit.edu (Greg Hudson) - Reference by #9117: profile write operation interactions with multiple files added

# Wed Apr 17 16:03:22 2024 ghudson@mit.edu (Greg Hudson) - Subject changed from 'crash with SEGV if misconfigured realm' to 'profile library null dereference when modifying empty profile'

# Wed Apr 17 18:26:13 2024 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'resolved'

# Wed Apr 17 18:26:13 2024 ghudson@mit.edu (Greg Hudson) - Taken

# Wed Apr 17 18:26:13 2024 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 964B

Allow modifications of empty profiles

Add the notion of a memory-only prf_data_t object, indicated by an
empty filespec field and appropriate flags (do not reload, always
dirty, not part of shared trees). Do nothing when flushing a
memory-only data object to its backing file. When setting up an empty
profile for read/write access, create a memory-only data object
instead of crashing.

Move prf_data_t mutex initialization into profile_make_prf_data(),
simplifying its callers.

https://github.com/krb5/krb5/commit/fc54edd1dc047aedb211beaa544c5e000fbdb7a6
Author: Greg Hudson <ghudson@mit.edu>
Commit: fc54edd1dc047aedb211beaa544c5e000fbdb7a6
Branch: master
src/util/profile/prof_file.c | 46 +++++++++++++++++++++++++++++++++++++-------
src/util/profile/prof_int.h | 2 ++
src/util/profile/prof_set.c | 33 ++++++++++++++-----------------
src/util/profile/t_profile.c | 28 +++++++++++++++++++++++++++
4 files changed, 83 insertions(+), 26 deletions(-)

# Tue Aug 20 16:36:47 2024 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.22 added