Bug 2229113
| Summary: | Double free in MIT Kerberos 1.21 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andreas Schneider <asn> |
| Component: | krb5 | Assignee: | Julien Rische <jrische> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | abokovoy, antorres, asn, ftrivino, jrische, j, psampaio, sbose, ssorce |
| Target Milestone: | --- | Keywords: | Regression, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | krb5-1.21-3.fc38 krb5-1.21.2-1.fc40 krb5-1.21.2-1.fc39 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-10 00:41:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2230178 | ||
FEDORA-2023-ca086f015c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ca086f015c FEDORA-2023-ca086f015c has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ca086f015c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ca086f015c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. *** Bug 2230179 has been marked as a duplicate of this bug. *** FEDORA-2023-ca086f015c has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-763a42d865 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-763a42d865 FEDORA-2023-4bce1554d6 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4bce1554d6 FEDORA-2023-763a42d865 has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-4bce1554d6 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: There is a double free corruption in MIT KRB5 1.21. It can be reproduced with Samba tests: /usr/sbin/krb5kdc: ================================================================= /usr/sbin/krb5kdc: ==6492==ERROR: AddressSanitizer: attempting double-free on 0x61a00025e080 in thread T0: /usr/sbin/krb5kdc: #0 0x7f5c932dad08 (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43) /usr/sbin/krb5kdc: #1 0x7f5c9317df72 in krb5_free_ticket krb/kfree.c:455 /usr/sbin/krb5kdc: #2 0x7f5c9317df72 in krb5_free_ticket krb/kfree.c:450 /usr/sbin/krb5kdc: #3 0x417fb6 in free_req_info ../../src/kdc/do_tgs_req.c:1144 /usr/sbin/krb5kdc: #4 0x417fb6 in process_tgs_req ../../src/kdc/do_tgs_req.c:1225 /usr/sbin/krb5kdc: #5 0x40c35f in dispatch ../../src/kdc/dispatch.c:163 /usr/sbin/krb5kdc: #6 0x449411 in process_tcp_connection_read ../../../src/lib/apputils/net-server.c:1363 /usr/sbin/krb5kdc: #7 0x7f5c931053a7 in verto_fire (/lib64/libverto.so.1+0x43a7) (BuildId: dce5099f3ddd23bf63050ec1bd9f959814a709ee) /usr/sbin/krb5kdc: #8 0x7f5c8d8f9625 in ev_invoke_pending (/lib64/libev.so.4+0x5625) (BuildId: db2a80899176970d5ae46767b5ba351c27607fd5) /usr/sbin/krb5kdc: #9 0x7f5c8d8fd1cb in ev_run (/lib64/libev.so.4+0x91cb) (BuildId: db2a80899176970d5ae46767b5ba351c27607fd5) /usr/sbin/krb5kdc: #10 0x4344a5 in main ../../src/kdc/main.c:1039 /usr/sbin/krb5kdc: #11 0x7f5c92a2abef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 /usr/sbin/krb5kdc: #12 0x7f5c92a2acb8 in __libc_start_main_impl ../csu/libc-start.c:360 /usr/sbin/krb5kdc: #13 0x4097a4 in _start ../sysdeps/x86_64/start.S:115 /usr/sbin/krb5kdc: /usr/sbin/krb5kdc: 0x61a00025e080 is located 0 bytes inside of 1188-byte region [0x61a00025e080,0x61a00025e524) /usr/sbin/krb5kdc: freed by thread T0 here: /usr/sbin/krb5kdc: #0 0x7f5c932dad08 (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43) /usr/sbin/krb5kdc: #1 0x4170ce in zapfree ../../src/include/k5-int.h:664 /usr/sbin/krb5kdc: #2 0x4170ce in tgs_issue_ticket ../../src/kdc/do_tgs_req.c:1128 /usr/sbin/krb5kdc: #3 0x4170ce in process_tgs_req ../../src/kdc/do_tgs_req.c:1195 /usr/sbin/krb5kdc: #4 0x40c35f in dispatch ../../src/kdc/dispatch.c:163 /usr/sbin/krb5kdc: #5 0x449411 in process_tcp_connection_read ../../../src/lib/apputils/net-server.c:1363 /usr/sbin/krb5kdc: #6 0x7f5c931053a7 in verto_fire (/lib64/libverto.so.1+0x43a7) (BuildId: dce5099f3ddd23bf63050ec1bd9f959814a709ee) /usr/sbin/krb5kdc: /usr/sbin/krb5kdc: previously allocated by thread T0 here: /usr/sbin/krb5kdc: #0 0x7f5c932dc03f in malloc (/usr/lib64/libasan.so.8.0.0+0xdc03f) (BuildId: a24a20df2a1331371c666de9135abab342429d43) /usr/sbin/krb5kdc: #1 0x7f5c93158f5d in k5_asn1_decode_bytestring asn.1/asn1_encode.c:232 /usr/sbin/krb5kdc: #2 0x6030000aaeef (<unknown module>) /usr/sbin/krb5kdc: /usr/sbin/krb5kdc: SUMMARY: AddressSanitizer: double-free (/usr/lib64/libasan.so.8.0.0+0xdad08) (BuildId: a24a20df2a1331371c666de9135abab342429d43) /usr/sbin/krb5kdc: ==6492==ABORTING