35597 2018-11-12 16:33:36 +0300 Segfault in sssd's krb5_child 2018-11-29 13:21:50 +0300 1 1 4 Development Sisyphus libkrb5 unstable all Linux CLOSED FIXED P3 normal --- 1 iv iv iv jenya rider shaba sin slev qa-sisyphus oldest_to_newest 175707 0 iv 2018-11-12 16:33:36 +0300 To reproduce * add a machine to a FreeIPA domain, using FQDN (e.g. test.ipa.example.com); * make sure that a domain user does not have a ccache (e.g. run kdestroy), and logout; * ssh to the machine by its short name (e.g. ssh iv@test); don't enable GSSAPI on your SSH client, use your domain password. Expected result: you are logged in, you have ccache with TGT. Real result: you are not logged in (permission denied); in the machine logs you see that there was a segfault in /usr/libexec/sssd/krb5_child. I managed to get a core dump. Here is the segmentation fault backtrace: #0 krb5_copy_principal (context=0x11a4bb0, inprinc=0x6e, outprinc=0x7ffdc68f6050) at copy_princ.c:43 #1 0x00007ff3f6fd0115 in krb5_cc_cache_match (context=0x11a4bb0, client=0x11a0e80, cache_out=cache_out@entry=0x7ffdc68f60b8) at cccursor.c:197 #2 0x0000000000408844 in create_ccache (ccname=<optimized out>, creds=0x117c000) at src/providers/krb5/krb5_child.c:999 #3 0x000000000040c084 in get_and_save_tgt (kr=kr@entry=0x1178220, password=<optimized out>) at src/providers/krb5/krb5_child.c:1761 #4 0x000000000040c283 in tgt_req_child (kr=kr@entry=0x1178220) at src/providers/krb5/krb5_child.c:2114 #5 0x0000000000407161 in main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:3379 It's inprinc=0x6e does not seem to be valid address. 175794 1 iv 2018-11-14 16:51:29 +0300 Here are some more pieces of information from GDB: (gdb) frame 1 #1 0x00007ff3f6fd0115 in krb5_cc_cache_match (context=0x11a4bb0, client=0x11a0e80, cache_out=cache_out@entry=0x7ffdc68f60b8) at cccursor.c:197 197 ret = krb5_cc_get_principal(context, cache, &princ); (gdb) print cache->data $23 = (krb5_pointer) 0x1182a80 (gdb) print cache->ops->prefix $24 = 0x7ff3f702632a "MEMORY" (gdb) print cache->ops->get_princ $25 = (krb5_error_code (*)(krb5_context, krb5_ccache, krb5_principal *)) 0x7ff3f6fd7450 <krb5_mcc_get_principal> So, we are dealing with memory ccache. Looking at *((krb5_mcc_data*)cache->data), it indeed contains garbage and ((krb5_mcc_data*)cache->data)->prin is 0x6e. 176171 2 repository-robot 2018-11-29 13:21:50 +0300 krb5-1.16.2-alt2 -> sisyphus: Thu Nov 29 2018 Stanislav Levin <slev@altlinux> 1.16.2-alt2 - Fixed yield of cache from MEMORY ccache (closes #35597, #35667). Wed Aug 29 2018 Alexey Shabalin <shaba@altlinux> 1.16.1-alt2 - rebuild with openssl-1.1 Mon Aug 27 2018 Ivan A. Melnikov <iv@altlinux> 1.16.1-alt1 - 1.16.1 (CVE-2018-5729, CVE-2018-5730) Mon Jan 22 2018 Evgeny Sinelnikov <sin@altlinux> 1.16-alt1 - Update to latest stable release 1.16 Fri Nov 03 2017 Evgeny Sinelnikov <sin@altlinux> 1.15.2-alt2 - Fix build-pdf on Sisyphus - Add noport, nss_wrapper and socket_wrapper for tests running Wed Nov 01 2017 Evgeny Sinelnikov <sin@altlinux> 1.15.2-alt1 - Update to latest stable release 1.15.2 with kdcpreauth from 1.16.x Sun Aug 20 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.15.1-alt1 - Update to latest stable release 1.15.1 with kdcpreauth from 1.16.x Fri Mar 24 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.5-alt1 - Update to first spring release 1.14.5 Tue Feb 28 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.4-alt2 - Add _keytab group for default keytab /etc/krb5.keytab Wed Feb 15 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.4-alt1 - 1.14.4 - fixed CVE-2016-3120