Bug 1302414

Summary:	pam_krb5 not clearing errno before calling getpwnam_r()
Product:	Red Hat Enterprise Linux 6	Reporter:	Roshni <rpattath>
Component:	pam_krb5	Assignee:	Robbie Harwood <rharwood>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.8	CC:	jhrozek, nalin, pkis
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
URL:	https://git.fedorahosted.org/cgit/pam_krb5.git/commit/?id=18b4ecea4e25fd3cc17f13203c59249c6e389820
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-07-18 17:28:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Roshni 2016-01-27 19:00:49 UTC

Description of problem:
pam_krb5 not clearing errno before calling getpwnam_r(), so it can get stuck when looking up user information

Version-Release number of selected component (if applicable):
pam_krb5-2.3.11-9.el6.i686

How reproducible:
always

Steps to Reproduce:
1. Noticed during Smartcard login with kerberos user
2.
3.

Actual results:


Expected results:


Additional info:
Some debug log information

Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: debug
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flags: forwardable
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no ignore_afs
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no null_afs
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: cred_session
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: preauth_options(template): X509_user_identity=PKCS11:/usr/lib/pkcs11/libcoolkeypk11.so
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: user_check
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no krb4_convert
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: krb4_convert_524
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: krb4_use_as_req
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: will try previously set password first
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: will not let libkrb5 ask questions
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no use_shmem
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no external
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: no multiple_ccaches
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: validate
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: flag: warn
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: ticket lifetime: 3600s (0d,1h,0m,0s)
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: renewable lifetime: 10800s (0d,3h,0m,0s)
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: banner: Kerberos 5
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: ccache dir: /tmp
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: keytab: FILE:/etc/krb5.keytab
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: token strategy: v4,524,2b,rxk5
Jan 27 12:13:39 localhost pam: gdm-smartcard: pam_krb5[2803]: called to authenticate 'kdcuser2', realm 'EXAMPLE.COM'

[root@dhcp129-123 ~]# pstack 2803
#0  0x00cb1424 in __kernel_vsyscall ()
#1  0x0058f4c6 in munmap () from /lib/libc.so.6
#2  0x00525f76 in free () from /lib/libc.so.6
#3  0x00380813 in xstrfree () from /lib/security/pam_krb5.so
#4  0x003803f6 in _pam_krb5_user_info_init () from /lib/security/pam_krb5.so
#5  0x00373ffb in pam_sm_authenticate () from /lib/security/pam_krb5.so
#6  0x0046643f in ?? () from /lib/libpam.so.0
#7  0x00465c22 in pam_authenticate () from /lib/libpam.so.0
#8  0x08051be2 in ?? ()
#9  0x006f62e2 in ?? () from /lib/libglib-2.0.so.0
#10 0x006f86d5 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#11 0x006fcd68 in ?? () from /lib/libglib-2.0.so.0
#12 0x006fd2af in g_main_loop_run () from /lib/libglib-2.0.so.0
#13 0x0804bf7f in ?? ()
#14 0x004c6d26 in __libc_start_main () from /lib/libc.so.6
#15 0x0804bc61 in ?? ()
[root@dhcp129-123 ~]# rpm -q pam_krb5-debuginfo
pam_krb5-debuginfo-2.3.11-9.el6.i686