lib/57631: pam_krb5.so seemingly randomly segfaults post the June update

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/57631: pam_krb5.so seemingly randomly segfaults post the June update
From: mark%ecs.vuw.ac.nz@localhost
Date: Wed, 27 Sep 2023 04:35:00 +0000 (UTC)
>Number:         57631
>Category:       lib
>Synopsis:       pam_krb5.so seemingly randomly segfaults post the June update
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 27 04:35:00 +0000 2023
>Originator:     Mark Davies
>Release:        NetBSD 10.0_BETA
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
	
	
System: NetBSD turakirae.ecs.vuw.ac.nz 10.0_BETA NetBSD 10.0_BETA (GENERIC) #0: Mon Sep 18 14:53:06 NZST 2023  mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
	On a system configured to authenticate via kerberos with a pam_krb5.so.4 that incorporates the
	changes made in June both dovecot's auth and saslauthd (configured to do pam, and pam to do pam_krb5)
	would get segmentation faults processing some connections while others (giving the same credentials)
	would succeed.

	Leaving everything else the same but reverting the June change to pam_krb5.c eliminates the problem.

	Feels like some kind of use after free, but I can't spot the precise issue.

	Stack traces from some saslauthd cores are below:

Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
    out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
(gdb) where
#0  quote_string (s=0x73756372616d <error: Cannot access memory at address 0x73756372616d>,
    out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256, display=display@entry=0)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418
#1  0x0000736565442cc0 in unparse_name_fixed (context=context@entry=0x736565752000, principal=0x7365656dd5a0,
    name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256, flags=flags@entry=0)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:457
#2  0x0000736565443569 in krb5_unparse_name_fixed (context=context@entry=0x736565752000,
    principal=<optimized out>, name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:507
#3  0x00007365654429ec in krb5_error_from_rd_error (context=context@entry=0x736565752000,
    error=error@entry=0x7365657b7da0, creds=creds@entry=0x7365657b7c08)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/rd_error.c:86
#4  0x000073656542cf22 in krb5_init_creds_step (context=context@entry=0x736565752000,
    ctx=ctx@entry=0x7365657b7c00, in=in@entry=0x7f7fff070640, out=out@entry=0x7f7fff070650,
    hostinfo=hostinfo@entry=0x0, flags=flags@entry=0x7f7fff070634)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2334
#5  0x000073656542de98 in krb5_init_creds_get (context=context@entry=0x736565752000, ctx=0x7365657b7c00)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2634
#6  0x000073656542b963 in krb5_get_init_creds_password (context=0x736565752000, creds=0x7f7fff071110,
    client=0x7365656ddb20, password=0x7365657ea110 "xxxxxxxxxxxx", prompter=0x0, data=0x7365657f2000,
    start_time=0, in_tkt_service=<optimized out>, options=0x736565789180)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2728
#7  0x000073656020279b in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#8  0x0000736563804cee in openpam_dispatch (pamh=pamh@entry=0x7365657f2000, primitive=primitive@entry=0,
    flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9  0x0000736563803e66 in pam_authenticate (pamh=0x7365657f2000, flags=<optimized out>)
    at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#10 0x000000019e203ca9 in ?? ()
#11 0x000000019e2083cc in ?? ()
#12 0x000000019e20758d in ?? ()
#13 0x000000019e207c8c in ?? ()
#14 0x000000019e20a1ab in ?? ()
#15 0x000000019e202edd in ?? ()
#16 0x00007f7f3840bbb8 in ?? () from /usr/libexec/ld.elf_so
#17 0x0000000000000003 in ?? ()
#18 0x00007f7fff0729f0 in ?? ()
#19 0x00007f7fff072a08 in ?? ()
#20 0x00007f7fff072a0b in ?? ()
#21 0x0000000000000000 in ?? ()



Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1  0x0000796d85cbbb4b in _strdup (str=0x736d6c616572 <error: Cannot access memory at address 0x736d6c616572>)
    at /src/work/10/src/lib/libc/string/strdup.c:60
#2  0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a61390)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3  0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
    at asn1_krb5_asn1.c:1019
#4  0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)
    at asn1_krb5_asn1.c:1160
#5  0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000, inprinc=0x796d887d49a0,
    outprinc=outprinc@entry=0x7f7fffbc60d8)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6  0x0000796d88447efd in mcc_get_principal (context=0x796d88764000, id=<optimized out>, principal=0x7f7fffbc60d8)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:329
#7  0x0000796d83203bb9 in pam_sm_chauthtok () from /usr/lib/security/pam_krb5.so.4
#8  0x0000796d86804cee in openpam_dispatch (pamh=0x796d88a61350, primitive=-2005468800, flags=-2147483648)
    at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#9  0x00000000eba03cbe in ?? ()
#10 0x00007f7fffbc6210 in ?? ()
#11 0x0000796d88a48000 in ?? ()
#12 0x00000000eba03a02 in ?? ()
#13 0x00007f7f5800800e in _rtld_symlook_obj_matched_symbol (vcount=<synthetic pointer>, vsymp=<synthetic pointer>,
    symnum=133511350964291, ventry=0xeba083cc, flags=<optimized out>, obj=0x7f7fffbc6800,
    name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:186
#14 _rtld_symlook_obj_sysv (ventry=<optimized out>, flags=<optimized out>, obj=0x7f7fffbc6800,
    hash=<optimized out>, name=0x7f7fffbc64d0 "rarnold") at /src/work/10/src/libexec/ld.elf_so/symbol.c:308
#15 _rtld_symlook_obj (name=0x7f7fffbc64d0 "rarnold", hash=<optimized out>, obj=0x7f7fffbc6800,
    flags=<optimized out>, ventry=0xeba083cc) at /src/work/10/src/libexec/ld.elf_so/symbol.c:391
#16 0x00007f7f00000000 in ?? ()
#17 0x0000000000000000 in ?? ()



Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
#1  0x0000796d85cbbb4b in _strdup (str=0x74677462726b <error: Cannot access memory at address 0x74677462726b>)
    at /src/work/10/src/lib/libc/string/strdup.c:60
#2  0x0000796d88081c17 in der_copy_general_string (from=<optimized out>, to=0x796d88a613b0)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46
#3  0x0000796d8804a104 in copy_PrincipalName (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
    at asn1_krb5_asn1.c:1019
#4  0x0000796d8804a4c5 in copy_Principal (from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)
    at asn1_krb5_asn1.c:1160
#5  0x0000796d88443cb3 in krb5_copy_principal (context=context@entry=0x796d88764000,
    inprinc=inprinc@entry=0x796d887d4c00, outprinc=outprinc@entry=0x796d8875d5c0)
    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918
#6  0x0000796d88448587 in mcc_initialize (context=0x796d88764000, id=<optimized out>,
    primary_principal=0x796d887d4c00) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:209
#7  0x0000796d884654db in krb5_cc_initialize (context=<optimized out>, id=0x796d887d4b20,
    primary_principal=<optimized out>) at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/cache.c:677
#8  0x0000796d8320284a in pam_sm_authenticate () from /usr/lib/security/pam_krb5.so.4
#9  0x0000796d86804cee in openpam_dispatch (pamh=pamh@entry=0x796d88a48000, primitive=primitive@entry=0,
    flags=-2147483648) at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125
#10 0x0000796d86803e66 in pam_authenticate (pamh=0x796d88a48000, flags=<optimized out>)
    at /src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69
#11 0x00000000eba03ca9 in ?? ()
#12 0x00007f7fffbc6210 in ?? ()
#13 0x0000796d88a48000 in ?? ()
#14 0x00000000eba03a02 in ?? ()
#15 0x0000000000000000 in ?? ()


>How-To-Repeat:
	On a system using kerberos for authentication,
	run 'saslauthd -a pam'
	loop running testsaslauthd with valid username/password until you observe a failed invocation
	and note associated saslauthd.core produced.

smb2# while ( 1 )
while? testsaslauthd -u validusername -p validpassword
while? end
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: size read failed
0: 0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
0: OK "Success."
size read failed
0: size read failed
0: connect() : Connection refused
smb2# ls -l /var/run/saslauthd/
total 1426
srwxrwxrwx  1 root  wheel        0 Sep 27 16:56 mux
-rw-------  1 root  wheel        0 Sep 27 16:56 mux.accept
-rw-------  1 root  wheel  1435424 Sep 27 16:57 saslauthd.core
-rw-------  1 root  wheel        6 Sep 27 16:56 saslauthd.pid

>Fix:
	unknown

>Unformatted:
Prev by Date: PR/57629 CVS commit: src/etc/defaults
Next by Date: kern/57632: O_RSYNC|O_DSYNC mismatch what posix says
Previous by Thread: PR/57629 CVS commit: src/etc/defaults
Next by Thread: Re: lib/57631: pam_krb5.so seemingly randomly segfaults post the June update
Indexes:
Home | Main Index | Thread Index | Old Index