NetBSD Problem Report #57631
From mark@ecs.vuw.ac.nz Wed Sep 27 04:31:46 2023
Return-Path: <mark@ecs.vuw.ac.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C3E161A9238
for <gnats-bugs@gnats.NetBSD.org>; Wed, 27 Sep 2023 04:31:46 +0000 (UTC)
Message-Id: <202309270431.38R4VeBU001806@turakirae.ecs.vuw.ac.nz>
Date: Wed, 27 Sep 2023 17:31:40 +1300 (NZDT)
From: mark@ecs.vuw.ac.nz
Reply-To: mark@ecs.vuw.ac.nz
To: gnats-bugs@NetBSD.org
Subject: pam_krb5.so seemingly randomly segfaults post the June update
X-Send-Pr-Version: 3.95
>Number: 57631
>Category: lib
>Synopsis: pam_krb5.so seemingly randomly segfaults post the June update
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 27 04:35:00 +0000 2023
>Closed-Date: Mon Oct 02 15:16:44 +0000 2023
>Last-Modified: Mon Oct 02 15:16:44 +0000 2023
>Originator: Mark Davies
>Release: NetBSD 10.0_BETA
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 10.0_BETA NetBSD 10.0_BETA (GENERIC) #0: Mon Sep 18 14:53:06 NZST 2023 mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
On a system configured to authenticate via kerberos with a pam_krb5.so.4 that incorporates the
changes made in June both dovecot's auth and saslauthd (configured to do pam, and pam to do pam_krb5)
would get segmentation faults processing some connections while others (giving the same credentials)
would succeed.
Leaving everything else the same but reverting the June change to pam_krb5.c eliminates the problem.
Feels like some kind of use after free, but I can't spot the precise issue.
Stack traces from some saslauthd cores are below:
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
(gdb) where
#0 quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
#1 0x0000736565442cc0 in unparse_name_fixed (context=context@entry=0x736565752000, principal=0x7365656dd5a0,
name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256, flags=flags@entry=0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:457
#2 0x0000736565443569 in krb5_unparse_name_fixed (context=context@entry=0x736565752000,
principal=<optimized out>, name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:507
#3 0x00007365654429ec in krb5_error_from_rd_error (context=context@entry=0x736565752000,
error=error@entry=0x7365657b7da0, creds=creds@entry=0x7365657b7c08)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/rd_error.c:86
#4 0x000073656542cf22 in krb5_init_creds_step (context=context@entry=0x736565752000,
ctx=ctx@entry=0x7365657b7c00, in=in@entry=0x7f7fff070640, out=out@entry=0x7f7fff070650,
hostinfo=hostinfo@entry=0x0, flags=flags@entry=0x7f7fff070634)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2334
#5 0x000073656542de98 in krb5_init_creds_get (context=context@entry=0x736565752000, ctx=0x7365657b7c00)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2634
#6 0x000073656542b963 in krb5_get_init_creds_password (context=0x736565752000, creds=0x7f7fff071110,
client=0x7365656ddb20, password=0x7365657ea110 "xxxxxxxxxxxx", prompter=0x0, data=0x7365657f2000,
start_time=0, in_tkt_service=<optimized out>, options=0x736565789180)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2728
#7 0x000073656020279b in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#8 0x0000736563804cee in openpam_dispatch (pamh=pamh@entry=0x7365657f2000, primitive=primitive@entry=0,
flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9 0x0000736563803e66 in pam_authenticate (pamh=0x7365657f2000, flags=<optimized out>)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#10 0x000000019e203ca9 in ?? ()
#11 0x000000019e2083cc in ?? ()
#12 0x000000019e20758d in ?? ()
#13 0x000000019e207c8c in ?? ()
#14 0x000000019e20a1ab in ?? ()
#15 0x000000019e202edd in ?? ()
#16 0x00007f7f3840bbb8 in ?? () from /usr/libexec/ld.elf_so
#17 0x0000000000000003 in ?? ()
#18 0x00007f7fff0729f0 in ?? ()
#19 0x00007f7fff072a08 in ?? ()
#20 0x00007f7fff072a0b in ?? ()
#21 0x0000000000000000 in ?? ()
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1 0x0000796d85cbbb4b in _strdup (str=0x736d6c616572 <error: Cannot access memory at address 0x736d6c616572>)
at /src/work/10/src/lib/libc/string/strdup.c:60
#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a61390)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3 0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
at asn1_krb5_asn1.c:1019
#4 0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
at asn1_krb5_asn1.c:1160
#5 0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000, inprinc=0x796d887d49a0,
outprinc=outprinc@entry=0x7f7fffbc60d8)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6 0x0000796d88447efd in mcc_get_principal (context=0x796d88764000, id=<optimized out>, principal=0x7f7fffbc60d8)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:329
#7 0x0000796d83203bb9 in pam_sm_chauthtok () from /usr/lib/security/pam_krb5.so.4
#8 0x0000796d86804cee in openpam_dispatch (pamh=0x796d88a61350, primitive=-2005468800, flags=-2147483648)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9 0x00000000eba03cbe in ?? ()
#10 0x00007f7fffbc6210 in ?? ()
#11 0x0000796d88a48000 in ?? ()
#12 0x00000000eba03a02 in ?? ()
#13 0x00007f7f5800800e in _rtld_symlook_obj_matched_symbol (vcount=<synthetic pointer>, vsymp=<synthetic pointer>,
symnum=133511350964291, ventry=0xeba083cc, flags=<optimized out>, obj=0x7f7fffbc6800,
name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:186
#14 _rtld_symlook_obj_sysv (ventry=<optimized out>, flags=<optimized out>, obj=0x7f7fffbc6800,
hash=<optimized out>, name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:308
#15 _rtld_symlook_obj (name=0x7f7fffbc64d0 "rarnold", hash=<optimized out>, obj=0x7f7fffbc6800,
flags=<optimized out>, ventry=0xeba083cc) at /src/work/10/src/libexec/ld.elf_so/symbol.c:391
#16 0x00007f7f00000000 in ?? ()
#17 0x0000000000000000 in ?? ()
Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0 0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1 0x0000796d85cbbb4b in _strdup (str=0x74677462726b <error: Cannot access memory at address 0x74677462726b>)
at /src/work/10/src/lib/libc/string/strdup.c:60
#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a613b0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3 0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
at asn1_krb5_asn1.c:1019
#4 0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
at asn1_krb5_asn1.c:1160
#5 0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000,
inprinc=inprinc@entry=0x796d887d4c00, outprinc=outprinc@entry=0x796d8875d5c0)
at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6 0x0000796d88448587 in mcc_initialize (context=0x796d88764000, id=<optimized out>,
primary_principal=0x796d887d4c00) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:209
#7 0x0000796d884654db in krb5_cc_initialize (context=<optimized out>, id=0x796d887d4b20,
primary_principal=<optimized out>) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/cache.c:677
#8 0x0000796d8320284a in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#9 0x0000796d86804cee in openpam_dispatch (pamh=pamh@entry=0x796d88a48000, primitive=primitive@entry=0,
flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#10 0x0000796d86803e66 in pam_authenticate (pamh=0x796d88a48000, flags=<optimized out>)
at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#11 0x00000000eba03ca9 in ?? ()
#12 0x00007f7fffbc6210 in ?? ()
#13 0x0000796d88a48000 in ?? ()
#14 0x00000000eba03a02 in ?? ()
#15 0x0000000000000000 in ?? ()
>How-To-Repeat:
On a system using kerberos for authentication,
run 'saslauthd -a pam'
loop running testsaslauthd with valid username/password until you observe a failed invocation
and note associated saslauthd.core produced.
smb2# while ( 1 )
while? testsaslauthd -u validusername -p validpassword
while? end
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: size read failed
0: 0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: connect() : Connection refused
smb2# ls -l /var/run/saslauthd/
total 1426
srwxrwxrwx 1 root wheel 0 Sep 27 16:56 mux
-rw------- 1 root wheel 0 Sep 27 16:56 mux.accept
-rw------- 1 root wheel 1435424 Sep 27 16:57 saslauthd.core
-rw------- 1 root wheel 6 Sep 27 16:56 saslauthd.pid
>Fix:
unknown
>Release-Note:
>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: mark@ecs.vuw.ac.nz
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: lib/57631: pam_krb5.so seemingly randomly segfaults post the June update
Date: Wed, 27 Sep 2023 08:55:10 +0000
This is a multi-part message in MIME format.
--=_Jk88w0qeZbZBxabcXkD5GbHSqAbVNpLw
Well, that's embarrassing. Please try the attached patch?
--=_Jk88w0qeZbZBxabcXkD5GbHSqAbVNpLw
Content-Type: text/plain; charset="ISO-8859-1"; name="pam_krb5"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pam_krb5.patch"
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pa=
m_krb5/pam_krb5.c
index 38dd77472149..48941317285b 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@@ -955,6 +955,7 @@ verify_krb_v5_tgt_begin(krb5_context context, char *pam=
_service, int debug,
const char *services[3], **service;
=20
*servicep =3D NULL;
+ *princp =3D NULL;
=20
if (debug)
openlog_r("pam_krb5", LOG_PID, LOG_AUTHPRIV, datap);
@@ -996,6 +997,8 @@ verify_krb_v5_tgt_begin(krb5_context context, char *pam=
_service, int debug,
&keyblock);
if (retval !=3D 0)
continue;
+ *servicep =3D *service;
+ *princp =3D princ;
break;
}
if (keyblock)
--=_Jk88w0qeZbZBxabcXkD5GbHSqAbVNpLw--
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/57631: pam_krb5.so seemingly randomly segfaults post the
June update
Date: Wed, 27 Sep 2023 09:24:59 +0000 (UTC)
There is also a double free() of srvdup: lines 344 and 399. The first one
can be ditched.
-RVP
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: Taylor R Campbell <riastradh@NetBSD.org>
Cc: gnats-bugs@NetBSD.org
Subject: Re: lib/57631: pam_krb5.so seemingly randomly segfaults post the June
update
Date: Thu, 28 Sep 2023 14:52:24 +1300
On 27/09/23 21:55, Taylor R Campbell wrote:
> Well, that's embarrassing. Please try the attached patch?
Put that patch in, plus the removal of the free() on line 344 that RVP
noted and all seems to be working nicely.
cheers
mark
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57631 CVS commit: src/lib/libpam/modules/pam_krb5
Date: Thu, 28 Sep 2023 02:31:05 +0000
Module Name: src
Committed By: riastradh
Date: Thu Sep 28 02:31:05 UTC 2023
Modified Files:
src/lib/libpam/modules/pam_krb5: pam_krb5.c
Log Message:
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
XXX pullup-10
XXX pullup-9
XXX pullup-8
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/lib/libpam/modules/pam_krb5/pam_krb5.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 29 Sep 2023 08:48:57 +0000
State-Changed-Why:
fixes committed, need pullup-8, pullup-9, pullup-10
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 02 Oct 2023 08:44:50 +0000
State-Changed-Why:
pullup-10 #380 https://releng.netbsd.org/cgi-bin/req-10.cgi?show=380
pullup-9 #1734 https://releng.netbsd.org/cgi-bin/req-9.cgi?show=1734
pullup-8 #1898 https://releng.netbsd.org/cgi-bin/req-8.cgi?show=1898
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57631 CVS commit: [netbsd-10] src/lib/libpam/modules/pam_krb5
Date: Mon, 2 Oct 2023 13:05:41 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 2 13:05:41 UTC 2023
Modified Files:
src/lib/libpam/modules/pam_krb5 [netbsd-10]: pam_krb5.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #380):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
To generate a diff of this commit:
cvs rdiff -u -r1.30.2.1 -r1.30.2.2 src/lib/libpam/modules/pam_krb5/pam_krb5.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57631 CVS commit: [netbsd-9] src/lib/libpam/modules/pam_krb5
Date: Mon, 2 Oct 2023 13:07:12 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 2 13:07:12 UTC 2023
Modified Files:
src/lib/libpam/modules/pam_krb5 [netbsd-9]: pam_krb5.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1734):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
To generate a diff of this commit:
cvs rdiff -u -r1.26.28.1 -r1.26.28.2 \
src/lib/libpam/modules/pam_krb5/pam_krb5.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57631 CVS commit: [netbsd-8] src/lib/libpam/modules/pam_krb5
Date: Mon, 2 Oct 2023 13:09:01 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 2 13:09:01 UTC 2023
Modified Files:
src/lib/libpam/modules/pam_krb5 [netbsd-8]: pam_krb5.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1898):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
To generate a diff of this commit:
cvs rdiff -u -r1.26.18.1 -r1.26.18.2 \
src/lib/libpam/modules/pam_krb5/pam_krb5.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 02 Oct 2023 15:16:44 +0000
State-Changed-Why:
fixed and pulled up
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.