Bug 35597 - Segfault in sssd's krb5_child
Summary: Segfault in sssd's krb5_child
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: libkrb5 (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Ivan A. Melnikov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-12 16:33 MSK by Ivan A. Melnikov
Modified: 2018-11-29 13:21 MSK (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan A. Melnikov 2018-11-12 16:33:36 MSK 
To reproduce
* add a machine to a FreeIPA domain, using FQDN (e.g. test.ipa.example.com);
* make sure that a domain user does not have a ccache (e.g. run kdestroy), and logout;
* ssh to the machine by its short name (e.g. ssh iv@test); don't enable GSSAPI on your SSH client, use your domain password.

Expected result: you are logged in, you have ccache with TGT.
Real result: you are not logged in (permission denied); in the machine logs you see that there was a segfault in /usr/libexec/sssd/krb5_child.

I managed to get a core dump. Here is the segmentation fault backtrace:

#0  krb5_copy_principal (context=0x11a4bb0, inprinc=0x6e, outprinc=0x7ffdc68f6050) at copy_princ.c:43
#1  0x00007ff3f6fd0115 in krb5_cc_cache_match (context=0x11a4bb0, client=0x11a0e80, cache_out=cache_out@entry=0x7ffdc68f60b8) at cccursor.c:197
#2  0x0000000000408844 in create_ccache (ccname=<optimized out>, creds=0x117c000) at src/providers/krb5/krb5_child.c:999
#3  0x000000000040c084 in get_and_save_tgt (kr=kr@entry=0x1178220, password=<optimized out>) at src/providers/krb5/krb5_child.c:1761
#4  0x000000000040c283 in tgt_req_child (kr=kr@entry=0x1178220) at src/providers/krb5/krb5_child.c:2114
#5  0x0000000000407161 in main (argc=<optimized out>, argv=<optimized out>) at src/providers/krb5/krb5_child.c:3379


It's inprinc=0x6e does not seem to be valid address.
Comment 1 Ivan A. Melnikov 2018-11-14 16:51:29 MSK 
Here are some more pieces of information from GDB:

(gdb) frame 1
#1  0x00007ff3f6fd0115 in krb5_cc_cache_match (context=0x11a4bb0, client=0x11a0e80, cache_out=cache_out@entry=0x7ffdc68f60b8) at cccursor.c:197
197             ret = krb5_cc_get_principal(context, cache, &princ);
(gdb) print cache->data
$23 = (krb5_pointer) 0x1182a80
(gdb) print cache->ops->prefix
$24 = 0x7ff3f702632a "MEMORY"
(gdb) print cache->ops->get_princ
$25 = (krb5_error_code (*)(krb5_context, krb5_ccache, krb5_principal *)) 0x7ff3f6fd7450 <krb5_mcc_get_principal>

So, we are dealing with memory ccache. Looking at *((krb5_mcc_data*)cache->data), it indeed contains garbage and ((krb5_mcc_data*)cache->data)->prin is 0x6e.
Comment 2 Repository Robot 2018-11-29 13:21:50 MSK 
krb5-1.16.2-alt2 -> sisyphus:

Thu Nov 29 2018 Stanislav Levin <slev@altlinux> 1.16.2-alt2
- Fixed yield of cache from MEMORY ccache (closes #35597, #35667).

Wed Aug 29 2018 Alexey Shabalin <shaba@altlinux> 1.16.1-alt2
- rebuild with openssl-1.1

Mon Aug 27 2018 Ivan A. Melnikov <iv@altlinux> 1.16.1-alt1
- 1.16.1 (CVE-2018-5729, CVE-2018-5730)

Mon Jan 22 2018 Evgeny Sinelnikov <sin@altlinux> 1.16-alt1
- Update to latest stable release 1.16

Fri Nov 03 2017 Evgeny Sinelnikov <sin@altlinux> 1.15.2-alt2
- Fix build-pdf on Sisyphus
- Add noport, nss_wrapper and socket_wrapper for tests running

Wed Nov 01 2017 Evgeny Sinelnikov <sin@altlinux> 1.15.2-alt1
- Update to latest stable release 1.15.2 with kdcpreauth from 1.16.x

Sun Aug 20 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.15.1-alt1
- Update to latest stable release 1.15.1 with kdcpreauth from 1.16.x

Fri Mar 24 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.5-alt1
- Update to first spring release 1.14.5

Tue Feb 28 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.4-alt2
- Add _keytab group for default keytab /etc/krb5.keytab

Wed Feb 15 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1.14.4-alt1
- 1.14.4
- fixed CVE-2016-3120