Bug 2229113 - Double free in MIT Kerberos 1.21
Summary: Double free in MIT Kerberos 1.21
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 38
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2230179 (view as bug list)
Depends On:
Blocks: CVE-2023-36054
TreeView+ depends on / blocked
 
Reported: 2023-08-04 08:31 UTC by Andreas Schneider
Modified: 2023-08-16 12:54 UTC (History)
9 users (show)

Fixed In Version: krb5-1.21-3.fc38 krb5-1.21.2-1.fc40 krb5-1.21.2-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-10 00:41:36 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github krb5 krb5 pull 1312 0 None open kdc: Fix double free in free_req_info() 2023-08-07 09:20:05 UTC
Red Hat Issue Tracker FC-911 0 None None None 2023-08-07 09:21:07 UTC
Red Hat Issue Tracker FREEIPA-10221 0 None None None 2023-08-04 08:33:48 UTC

Description Andreas Schneider 2023-08-04 08:31:01 UTC 
Description of problem:

There is a double free corruption in MIT KRB5 1.21. It can be reproduced with Samba tests:

    /usr/sbin/krb5kdc: =================================================================
    /usr/sbin/krb5kdc: ==6492==ERROR: AddressSanitizer: attempting double-free on 0x61a00025e080 in thread T0:
    /usr/sbin/krb5kdc:     #0 0x7f5c932dad08  (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43)
    /usr/sbin/krb5kdc:     #1 0x7f5c9317df72 in krb5_free_ticket krb/kfree.c:455
    /usr/sbin/krb5kdc:     #2 0x7f5c9317df72 in krb5_free_ticket krb/kfree.c:450
    /usr/sbin/krb5kdc:     #3 0x417fb6 in free_req_info ../../src/kdc/do_tgs_req.c:1144
    /usr/sbin/krb5kdc:     #4 0x417fb6 in process_tgs_req ../../src/kdc/do_tgs_req.c:1225
    /usr/sbin/krb5kdc:     #5 0x40c35f in dispatch ../../src/kdc/dispatch.c:163
    /usr/sbin/krb5kdc:     #6 0x449411 in process_tcp_connection_read ../../../src/lib/apputils/net-server.c:1363
    /usr/sbin/krb5kdc:     #7 0x7f5c931053a7 in verto_fire (/lib64/libverto.so.1+0x43a7) (BuildId: dce5099f3ddd23bf63050ec1bd9f959814a709ee)
    /usr/sbin/krb5kdc:     #8 0x7f5c8d8f9625 in ev_invoke_pending (/lib64/libev.so.4+0x5625) (BuildId: db2a80899176970d5ae46767b5ba351c27607fd5)
    /usr/sbin/krb5kdc:     #9 0x7f5c8d8fd1cb in ev_run (/lib64/libev.so.4+0x91cb) (BuildId: db2a80899176970d5ae46767b5ba351c27607fd5)
    /usr/sbin/krb5kdc:     #10 0x4344a5 in main ../../src/kdc/main.c:1039
    /usr/sbin/krb5kdc:     #11 0x7f5c92a2abef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    /usr/sbin/krb5kdc:     #12 0x7f5c92a2acb8 in __libc_start_main_impl ../csu/libc-start.c:360
    /usr/sbin/krb5kdc:     #13 0x4097a4 in _start ../sysdeps/x86_64/start.S:115
    /usr/sbin/krb5kdc:
    /usr/sbin/krb5kdc: 0x61a00025e080 is located 0 bytes inside of 1188-byte region [0x61a00025e080,0x61a00025e524)
    /usr/sbin/krb5kdc: freed by thread T0 here:
    /usr/sbin/krb5kdc:     #0 0x7f5c932dad08  (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43)
    /usr/sbin/krb5kdc:     #1 0x4170ce in zapfree ../../src/include/k5-int.h:664
    /usr/sbin/krb5kdc:     #2 0x4170ce in tgs_issue_ticket ../../src/kdc/do_tgs_req.c:1128
    /usr/sbin/krb5kdc:     #3 0x4170ce in process_tgs_req ../../src/kdc/do_tgs_req.c:1195
    /usr/sbin/krb5kdc:     #4 0x40c35f in dispatch ../../src/kdc/dispatch.c:163
    /usr/sbin/krb5kdc:     #5 0x449411 in process_tcp_connection_read ../../../src/lib/apputils/net-server.c:1363
    /usr/sbin/krb5kdc:     #6 0x7f5c931053a7 in verto_fire (/lib64/libverto.so.1+0x43a7) (BuildId: dce5099f3ddd23bf63050ec1bd9f959814a709ee)
    /usr/sbin/krb5kdc:
    /usr/sbin/krb5kdc: previously allocated by thread T0 here:
    /usr/sbin/krb5kdc:     #0 0x7f5c932dc03f in malloc (/usr/lib64/libasan.so.8.0.0+0xdc03f) (BuildId: a24a20df2a1331371c666de9135abab342429d43)
    /usr/sbin/krb5kdc:     #1 0x7f5c93158f5d in k5_asn1_decode_bytestring asn.1/asn1_encode.c:232
    /usr/sbin/krb5kdc:     #2 0x6030000aaeef  (<unknown module>)
    /usr/sbin/krb5kdc:
    /usr/sbin/krb5kdc: SUMMARY: AddressSanitizer: double-free (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43)
    /usr/sbin/krb5kdc: ==6492==ABORTING
Comment 1 Fedora Update System 2023-08-08 15:16:24 UTC 
FEDORA-2023-ca086f015c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ca086f015c
Comment 2 Fedora Update System 2023-08-09 02:00:38 UTC 
FEDORA-2023-ca086f015c has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ca086f015c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ca086f015c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Alexander Bokovoy 2023-08-09 06:15:22 UTC 
*** Bug 2230179 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2023-08-10 00:41:36 UTC 
FEDORA-2023-ca086f015c has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2023-08-16 10:14:35 UTC 
FEDORA-2023-763a42d865 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-763a42d865
Comment 6 Fedora Update System 2023-08-16 10:16:08 UTC 
FEDORA-2023-4bce1554d6 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4bce1554d6
Comment 7 Fedora Update System 2023-08-16 12:15:41 UTC 
FEDORA-2023-763a42d865 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2023-08-16 12:54:39 UTC 
FEDORA-2023-4bce1554d6 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.