Bug 201976

Summary: Applications using kerberos authentication segfault
Product: [Fedora] Fedora Reporter: Rob Riggs <rob+redhat>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://krbdev.mit.edu/rt/Ticket/Display.html?id=3313
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 12:13:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Rob Riggs 2006-08-10 01:43:10 EDT
Description of problem:
Both curl and firefox have the following errors when attempting to negotiate
kerberos authentication with a remote server:

*** glibc detected *** curl: double free or corruption (!prev):
0x0000000000539f40 ***
======= Backtrace: =========

This is a strace output of a running firefox:

writev(2, [{"*** glibc detected *** ", 23},
{"/usr/lib64/firefox-"..., 38}, {": ", 2}, {"double free or
corruption (out)", 31}, {": 0x", 4}, {"00002aaab32fb460", 16}, {" ***\n", 5}],
7) = 119
futex(0x306bf46f00, FUTEX_WAKE, 2147483647) = 0
futex(0x307260d350, FUTEX_WAKE, 2147483647) = 0
write(2, "======= Backtrace: =========\n", 29) = 29
writev(2, [{"/lib64/libc.so.6", 16}, {"[0x", 3}, {"306bd6dc43", 10}, {"]\n",
2}], 4) = 31
writev(2, [{"/lib64/libc.so.6", 16}, {"(", 1}, {"__libc_free", 11}, {"+0x", 3},
{"84", 2}, {")", 1}, {"[0x", 3}, {"306bd6ddc4", 10}, {"]\n", 2}], 9) = 49
writev(2, [{"/usr/lib64/libkrb5.so.3", 23}, {"(", 1},
{"krb5_free_cred_contents", 23}, {"+0x", 3}, {"6d", 2}, {")", 1}, {"[0x", 3},
{"2aaab0a1535d", 12}, {"]\n", 2}], 9) = 70
writev(2, [{"/usr/lib64/libkrb5.so.3", 23}, {"(", 1}, {"krb5_free_creds", 15},
{"+0x", 3}, {"9", 1}, {")", 1}, {"[0x", 3}, {"2aaab0a153c9", 12}, {"]\n", 2}],
9) = 61
writev(2, [{"/usr/lib64/libkrb5.so.3", 23}, {"(", 1}, {"krb5_free_tgt_creds",
19}, {"+0x", 3}, {"1d", 2}, {")", 1}, {"[0x", 3}, {"2aaab0a153fd", 12}, {"]\n",
2}], 9) = 66
writev(2, [{"/usr/lib64/libkrb5.so.3", 23}, {"(", 1}, {"krb5_get_credentials",
20}, {"+0x", 3}, {"209", 3}, {")", 1}, {"[0x", 3}, {"2aaab0a10509", 12}, {"]\n",
2}], 9) = 68
writev(2, [{"/usr/lib64/libgssapi_krb5.so.2", 30}, {"(", 1},
{"krb5_gss_init_sec_context", 25}, {"+0x", 3}, {"96a", 3}, {")", 1}, {"[0x", 3},
{"2aaab08c2b3a", 12}, {"]\n", 2}], 9) = 80

This is the best I could come up with for the time being.  I have no idea where
firefox's stderr is being sent.

The fact that both applications are segfaulting in about the same place would
appear to implicate the kerberos libraries.

Version-Release number of selected component (if applicable):
Tested with krb5-libs-1.4.3-5.1 (both x86_64 and i386 versions, under curl) and
krb5-libs-1.4.3-4.1 (x86_64 only)

How reproducible:
Almost always.  Occasionally the curl connection hangs.  I am finding diagnosis
difficult under firefox.  It just hangs and I have had to reboot (yes, reboot)
on occasion in order to restart firefox.

With both, authentication never works, and the user's keytab always gets
corrupted. It works fine with an almost identical setup under FC3.

Steps to Reproduce:
1. Set up kerberos
2. make sure kinit returns a valid ticket
3. curl -u z --negotiate http://some.mod_auth_kerb.url/ or IIS URL
4. press enter at the password prompt

Actual results:

See error above

Expected results:

I expect curl to authenticate and download the content of the given URL.

Additional info:

This may be related to 189332
Seems very similar to http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=344543
Comment 1 Nalin Dahyabhai 2006-08-10 17:05:20 EDT
I'm having trouble reproducing this.  Fresh i386 FC5 install with all updates
applied (this takes it to 1.4.3-5.1, as you have).

I run kinit, and then point curl at a page on my domain controller, which is in
a different realm than I am, and have the [domain_realm] mapping set up in
/etc/krb5.conf so that the library will assume it's in my local realm.

When I try this, I see the "Server not found in Kerberos database" error come
back from the server, and the client spews out the authorization failure text
which the server sent it.

Is there something I'm missing in the setup here?
Comment 2 Rob Riggs 2006-08-10 22:05:01 EDT
First, both the patch at http://krbdev.mit.edu/rt/Ticket/Display.html?id=3313
and krb5-1.5-3 from fc6t2 fix the double-free problem.  This has allowed me to
track down what appear to be the key features of the problem.

This problem manifests itself when the server to which the request is made maps
to a secondary realm whose domain name does not directly map to that realm.
(There is at least one other case.  The same seems to occur when the domain does
not have a mapping to a valid realm.)

1. krb5.conf has a [domain_realm] section with a "domain2.name = REALM2.NAME"
mapping (e.g. bar.com = BAZ.COM)
2. curl requests http://host.realm.name and starts auth_negotiate
3. DNS shows gethostbyaddr(gethostbyname(host.realm.name)) = host.domain2.name
4. curl must construct an SPN of HTTP/host.domain2.name@REALM2.NAME
5. curl crashes

I hope that is clear.  It is still a little confusing to me.
Comment 3 Bug Zapper 2008-04-03 23:29:44 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 4 Bug Zapper 2008-05-06 12:13:08 EDT
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.