[16900] in Kerberos-V5-bugs
[krbdev.mit.edu #9103] segfault trying to free a garbage pointer
daemon@ATHENA.MIT.EDU (Ilya Gladyshev via RT)
Sat Sep 2 20:36:38 2023
From: "Ilya Gladyshev via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <00A7572D-0468-46BB-9AA3-CF7A159D6F60@gmail.com>
Message-ID: <rt-4.4.3-2-2112270-1693701388-1720.9103-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9103":;
Content-Type: multipart/mixed; boundary="----------=_1693701388-2112270-0"
Date: Sat, 02 Sep 2023 20:36:28 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Errors-To: krb5-bugs-bounces@mit.edu
------------=_1693701388-2112270-0
Content-Type: text/plain; charset="utf-8"
Sat Sep 02 20:36:27 2023: Request 9103 was acted upon.
Transaction: Ticket created by ilya.v.gladyshev@gmail.com
Queue: krb5
Subject: segfault trying to free a garbage pointer
Owner: Nobody
Requestors: ilya.v.gladyshev@gmail.com
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9103 >
Hi,
I have recently encountered a segfault while using psql (PostgreSQL client, version 13) on macos. psql uses krb5-1.21.2 internally and as I started exploring the problem I obtained the following callstack that led to a segfault:
0 libkrb5.3.3.dylib 0x10471ec18 krb5_free_principal + 20
1 libkrb5.3.3.dylib 0x104701ad0 krb5_cccol_have_content + 188
2 libgssapi_krb5.2.2.dylib 0x104531894 acquire_cred_context + 1664
3 libgssapi_krb5.2.2.dylib 0x10453119c acquire_cred_from + 688
4 libgssapi_krb5.2.2.dylib 0x104523180 gss_add_cred_from + 624
So it seems to me that the problem is in krb5 library. I looked at the source code and the problem seems obvious to me, but I might be missing something here. I have attached a patch to fix it, and here’s my understanding of what’s going on there: inside the krb5_cccol_have_content the princ variable may stay uninitialized even after a call to krb5_cc_get_principal, so krb5_free_principal will try to free a garbage pointer or it might try to do a double free if princ was assigned and freed on a previous loop iteration. Setting princ to NULL at the beginning of each loop seems enough to me, because krb5_free_principal has checks for NULL.
Regards,
Ilya
P.S. you might want to update the url to access the repository on the website https://kerberos.org/dist/testing.html#git as github no longer supports git:// protocol links.

------------=_1693701388-2112270-0
Content-Type: text/html; charset="utf-8"
Content-Disposition: attachment
Content-Transfer-Encoding: quoted-printable
RT-Attachment: 9103/101849/25151
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=
=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; -webkit-nbsp-mod=
e: space; line-break: after-white-space;">Hi, <div>I have recently enc=
ountered a segfault while using psql (PostgreSQL client, version 13) on mac=
os. psql uses krb5-1.21.2 internally and as I started exploring the problem=
I obtained the following callstack that led to a segfault:</div><div><p st=
yle=3D"margin: 0px; font-style: normal; font-variant-caps: normal; font-str=
etch: normal; line-height: normal; font-family: "Helvetica Neue";=
font-size-adjust: none; font-kerning: auto; font-variant-alternates: norma=
l; font-variant-ligatures: normal; font-variant-numeric: normal; font-varia=
nt-east-asian: normal; font-variant-position: normal; font-feature-settings=
: normal; font-optical-sizing: auto; font-variation-settings: normal;">0 li=
bkrb5.3.3.dylib<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </=
span>0<span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">x1047=
1ec18 krb5_free_principal + 20</span></p>
<p style=3D"margin: 0px; font-style: normal; font-variant-caps: normal; fon=
t-stretch: normal; line-height: normal; font-family: "Helvetica Neue&q=
uot;; font-size-adjust: none; font-kerning: auto; font-variant-alternates: =
normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-=
variant-east-asian: normal; font-variant-position: normal; font-feature-set=
tings: normal; font-optical-sizing: auto; font-variation-settings: normal;"=
>1 libkrb5.3.3.dylib<span class=3D"Apple-tab-span" style=3D"white-space:pre=
"> </span><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">0=
x104701ad0 krb5_cccol_have_content + 188</span></p>
<p style=3D"margin: 0px; font-style: normal; font-variant-caps: normal; fon=
t-stretch: normal; line-height: normal; font-family: "Helvetica Neue&q=
uot;; font-size-adjust: none; font-kerning: auto; font-variant-alternates: =
normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-=
variant-east-asian: normal; font-variant-position: normal; font-feature-set=
tings: normal; font-optical-sizing: auto; font-variation-settings: normal;"=
>2 libgssapi_krb5.2.2.dylib<span class=3D"Apple-tab-span" style=3D"white-sp=
ace:pre"> </span><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0,=
0);">0x104531894 acquire_cred_context + 1664</span></p>
<p style=3D"margin: 0px; font-style: normal; font-variant-caps: normal; fon=
t-stretch: normal; line-height: normal; font-family: "Helvetica Neue&q=
uot;; font-size-adjust: none; font-kerning: auto; font-variant-alternates: =
normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-=
variant-east-asian: normal; font-variant-position: normal; font-feature-set=
tings: normal; font-optical-sizing: auto; font-variation-settings: normal;"=
>3 libgssapi_krb5.2.2.dylib<span class=3D"Apple-tab-span" style=3D"white-sp=
ace:pre"> </span><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0,=
0);">0x10453119c acquire_cred_from + 688</span></p>
<p style=3D"margin: 0px; font-style: normal; font-variant-caps: normal; fon=
t-stretch: normal; line-height: normal; font-family: "Helvetica Neue&q=
uot;; font-size-adjust: none; font-kerning: auto; font-variant-alternates: =
normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-=
variant-east-asian: normal; font-variant-position: normal; font-feature-set=
tings: normal; font-optical-sizing: auto; font-variation-settings: normal;"=
>4 libgssapi_krb5.2.2.dylib<span class=3D"Apple-tab-span" style=3D"white-sp=
ace:pre"> </span><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0,=
0);">0x104523180 gss_add_cred_from + 624</span></p></div><div><br></div><d=
iv>So it seems to me that the problem is in krb5 library. I looked at the s=
ource code and the problem seems obvious to me, but I might be missing some=
thing here. I have attached a patch to fix it, and here=E2=80=99s my unders=
tanding of what=E2=80=99s going on there: inside the krb5_cccol_have_conten=
t the princ variable may stay uninitialized even after a call to krb5_=
cc_get_principal, so krb5_free_principal will try to free a garbage pointer=
or it might try to do a double free if princ was assigned and freed on a p=
revious loop iteration. Setting princ to NULL at the beginning of each loop=
seems enough to me, because <span style=3D"caret-color: rgb(0, 0, 0);=
color: rgb(0, 0, 0);">krb5_free_principal has checks for NULL.</span></div=
><div><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br><=
/span></div><div><span style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0,=
0);">Regards,</span></div><div><span style=3D"caret-color: rgb(0, 0, 0); c=
olor: rgb(0, 0, 0);">Ilya</span></div><div><span style=3D"caret-color: rgb(=
0, 0, 0); color: rgb(0, 0, 0);"><br></span></div><div><span style=3D"caret-=
color: rgb(0, 0, 0); color: rgb(0, 0, 0);">P.S. you might want to update th=
e url to access the repository on the website </span><a href=3D"https:=
//kerberos.org/dist/testing.html#git">https://kerberos.org/dist/testing.htm=
l#git</a> as github no longer supports git:// protocol links.</div><di=
v></div></body></html>=
------------=_1693701388-2112270-0
Content-Type: application/octet-stream;
name="0001-clear-principal-on-each-loop.patch"
Content-Disposition: attachment;
filename="0001-clear-principal-on-each-loop.patch"
Content-Transfer-Encoding: base64
RT-Attachment: 9103/101849/25152
RnJvbSAzOWZlZTQ2M2Y3NDZmNGNiNzU0YTg5ZDg4MjRiNGVlOTFkY2FjMGU3
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBJbHlhIEdsYWR5c2hl
diA8aWx5YS52LmdsYWR5c2hldkBnbWFpbC5jb20+CkRhdGU6IFdlZCwgMzAg
QXVnIDIwMjMgMjE6MTk6NTkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBjbGVh
ciBwcmluY2lwYWwgb24gZWFjaCBsb29wCgotLS0KIHNyYy9saWIva3JiNS9j
Y2FjaGUvY2NjdXJzb3IuYyB8IDEgKwogMSBmaWxlIGNoYW5nZWQsIDEgaW5z
ZXJ0aW9uKCspCgpkaWZmIC0tZ2l0IGEvc3JjL2xpYi9rcmI1L2NjYWNoZS9j
Y2N1cnNvci5jIGIvc3JjL2xpYi9rcmI1L2NjYWNoZS9jY2N1cnNvci5jCmlu
ZGV4IDRiY2I2NmI3MS4uNmRjMGM2YjBmIDEwMDY0NAotLS0gYS9zcmMvbGli
L2tyYjUvY2NhY2hlL2NjY3Vyc29yLmMKKysrIGIvc3JjL2xpYi9rcmI1L2Nj
YWNoZS9jY2N1cnNvci5jCkBAIC0yNDUsNiArMjQ1LDcgQEAga3JiNV9jY2Nv
bF9oYXZlX2NvbnRlbnQoa3JiNV9jb250ZXh0IGNvbnRleHQpCiAgICAgICAg
IGdvdG8gbm9fZW50cmllczsKIAogICAgIHdoaWxlICghZm91bmQpIHsKKyAg
ICAgICAgcHJpbmMgPSBOVUxMOwogICAgICAgICByZXQgPSBrcmI1X2NjY29s
X2N1cnNvcl9uZXh0KGNvbnRleHQsIGNvbF9jdXJzb3IsICZjYWNoZSk7CiAg
ICAgICAgIHNhdmVfZmlyc3RfZXJyb3IoY29udGV4dCwgcmV0LCAmZXJyc2F2
ZSk7CiAgICAgICAgIGlmIChyZXQgfHwgY2FjaGUgPT0gTlVMTCkKLS0gCjIu
MzkuMiAoQXBwbGUgR2l0LTE0MykKCg==
------------=_1693701388-2112270-0
Content-Type: text/html; charset="ascii"
Content-Disposition: attachment
Content-Transfer-Encoding: 7bit
RT-Attachment: 9103/101849/25153
<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div></div></body></html>
------------=_1693701388-2112270-0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
------------=_1693701388-2112270-0--
