Bug List: (This bug is not in your last search results)   Show last search results
Bug 12384 - SEGV in krb5_free_cred contents with MEMORY cache
: SEGV in krb5_free_cred contents with MEMORY cache
Status: CLOSED TRACKEDINBUGSTER
Product: opensolaris
kernel
: 200906
: ANY/Generic OpenSolaris
: P4 major (vote)
: ---
Assigned To: Watcher account for OpenSolaris kernel bugs
:
:
: BugsterCR=6897807
:
:
:
  Show dependency treegraph
 
Reported: 2009-11-01 19:48 UTC by Markus Moeller
Modified: 2009-11-03 21:08 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description Markus Moeller 2009-11-01 19:48:41 UTC 
I have an application which initialises a Kerberos memory cache and the uses
the cache to authenticate and ldap connections to Active Directory and calls at
the end a krb5_cc_destroy to cleanup everything. When a memory cache is used
the cleanup SEGV in krb5_free_cred_contents. It does not happen with a file
cache. A watch with gdb gives the below trace showing that during the
SASL/GSSAPI bind the credentials in the memory cache get cleared. This creates
the SEGV in my main function.

The related code with the special MEMORY cache handling is in rel_cred.c

  61       /*
  62        * Solaris Kerberos
  63        * If the ccache is a MEMORY ccache then this credential handle
  64        * should be the only way to get to it, at least until the advent
  65        * of a GSS_Duplicate_cred() (which is needed and may well be
  66        * added some day).  Until then MEMORY ccaches must be destroyed,
  67        * not closed, else their contents (tickets, session keys) will
  68        * leak.
  69        */
  70       if (strcmp("MEMORY", krb5_cc_get_type(context, cred->ccache)) == 
0)
  71          code1 = krb5_cc_destroy(context, cred->ccache);
  72       else
  73          code1 = krb5_cc_close(context, cred->ccache);



(gdb) where
#0  krb5_mcc_free (context=0x8930fc0, id=0x88e0d90) at 
../krb5/ccache/cc_memory.c:182
#1  0xd226a307 in krb5_mcc_destroy (context=0x8930fc0, id=0x88e0d90) at 
../krb5/ccache/cc_memory.c:214
#2  0xd226c7b4 in krb5_cc_destroy (context=0x8930fc0, cache=0x88e0d90) at 
../krb5/ccache/ccfns.c:55
#3  0xd21e641f in krb5_gss_release_cred (minor_status=0x8022520, 
cred_handle=0x8022534) at 
/src/build/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c:71
#4  0xd21eb50f in krb5_gss_init_sec_context (minor_status=0x802268c, 
claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, 
mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, 
input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, 
ret_flags=0x8022674, time_rec=0x0) at 
/src/build/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c:997
#5  0xd21e3eec in k5glue_init_sec_context (ctx=0x0, minor_status=0x802268c, 
claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, 
mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, 
input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, 
ret_flags=0x8022674, time_rec=0x0) at 
/src/build/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c:843
#6  0xd27451c8 in gss_init_sec_context () from /usr/lib/libgss.so.1
#7  0xd19f41d3 in ?? ()
#8  0x0802268c in ?? ()
#9  0x00000000 in ?? ()
#10 0x088e3d6c in ?? ()
#11 0x088d3cd8 in ?? ()
#12 0xd1a08308 in ?? ()
#13 0x0000002a in ?? ()
#14 0x00000000 in ?? ()
#15 0x00000000 in ?? ()
#16 0x00000000 in ?? ()
#17 0x00000000 in ?? ()
#18 0x08022694 in ?? ()
#19 0x08022674 in ?? ()
#20 0x00000000 in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
#23 0xd1a0834c in ?? ()
#24 0xd1f79000 in ?? () from /usr/lib/libsasl.so.1
#25 0xd19f6ecc in ?? ()
#26 0x00000128 in ?? ()
#27 0x5f676572 in ?? ()
#28 0xd19f3bcf in ?? ()
#29 0xd1bc27e8 in ?? ()
#30 0x00000000 in ?? ()
#31 0xd19f6ed8 in ?? ()
#32 0x00000000 in ?? ()
#33 0x00000000 in ?? ()
#34 0x00000000 in ?? ()
#35 0x0000013a in ?? ()
#36 0x0000002a in ?? ()
#37 0x00000003 in ?? ()
#38 0x00000019 in ?? ()
#39 0x00000000 in ?? ()
#40 0xd1f5bcf9 in _sasl_global_getopt (context=0x88e3d68, 
plugin_name=0x88d4ab0 "@7\215\b\b,\216\b\200=\215\b\230<\216\b", option=0x0, 
result=0x0, len=0x80227dc) at ../lib/common.c:1374
#41 0xd1f58dce in sasl_client_step (conn=0x88e30c8, serverin=0x0, 
serverinlen=0, prompt_need=0x80227dc, clientout=0x80227c4, 
clientoutlen=0x80227bc) at ../lib/client.c:1088
#42 0xd1f58c1d in sasl_client_start (conn=0x88e30c8, mechlist=0x808f675 
"GSSAPI", prompt_need=0x80227dc, clientout=0x80227c4, 
clientoutlen=0x80227bc, mech=0x80227d0) at ../lib/client.c:1024
#43 0xd24a27be in nsldapi_sasl_do_bind (ld=0x88e1e00, dn=0x0, 
mechs=0x808f675 "GSSAPI", flags=1, callback=0x8078278 <lutil_sasl_interact>, 
defaults=0x88c6940, sctrl=0x0, cctrl=0x0) at 
../sources/ldap/common/sasl.c:660
#44 0xd24a3121 in ldap_sasl_interactive_bind_s (ld=0x88e1e00, dn=0x0, 
saslMechanism=0x808f675 "GSSAPI", sctrl=0x0, cctrl=0x0, flags=1, 
callback=0x8078278 <lutil_sasl_interact>, defaults=0x88c6940) at 
../sources/ldap/common/sasl.c:992
#45 0x08078400 in tool_sasl_bind (ld=0x88e1e00, binddn=0x0, ssl=0) at 
checkldapgroup.c:1840
#46 0x08079393 in checkldapgroup (username=0x803b450 "markus@SUSE.HOME", 
userdomain=0x803b457 "SUSE.HOME", group=0x88d3bb8 "USERS_ALLOW", 
groupdomain=0x0, rule=0x88d31b0) at checkldapgroup.c:2595
#47 0x08074753 in ldapgroupmatch (auth=0x803b21c, rule=0x88d0610) at 
accesscheck.c:155
#48 0x0806ec4b in rulespermit (s=3, peer=0x803fa00, local=0x803fa10, 
clientauth=0x803fa20, match=0x803cb30, srcauth=0x803b21c, state=0x803a9e4, 
src=0x803b564, dst=0x803b9f8, msg=0x803a490 "", msgsize=256) at 
serverconfig.c:1352
#49 0x08062e70 in run_request (mother=0x80412a0) at sockd_request.c:827
#50 0x0805e8c3 in addchild (type=4) at sockd_child.c:427
#51 0x0805f123 in childcheck (type=4) at sockd_child.c:541
#52 0x0805da28 in main (argc=143409904, argv=0x8047c64, envp=0x8047c70) at 
sockd.c:371
(gdb)


Markus
Comment 1 Rich Burridge 2009-11-03 21:08:03 UTC 
In order to get the attention of the Solaris engineers, I've
opened a bug in the Sun Bugster database, and am closing this one
as TRACKEDINBUGSTER.

If the Bugster bug is now in a public category/sub-category, the
URL of the new bug at bugs.opensolaris.org will be:

http://bugs.opensolaris.org/view_bug.do?bug_id=6897807

(This will happen the next time the new Bugster bug information
is pushed to bugs.opensolaris.org).

I've added the bug submitter to the Bugster interest list. If you'd
like to be removed, just let me know (by adding a comment to this bug).

If anybody else would like to be added to the cc: of the Bugster bug,
again just let me know (by adding a comment to this bug).

Note that there is currently no easy way for external-to-Sun
people to update the Bugster bug. That's been worked on. In the
meantime, if a Bugster evaluator asks you for further information
and you are external-to-Sun, then I suggest emailing that person
directly.

Thanks.
Bug List: (This bug is not in your last search results)   Show last search results