Bug 467208

Summary: SIGSEGV on CTRL+D
Product: Red Hat Enterprise Linux 5 Reporter: Karel Zak <kzak>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: kvolny, syeghiay, tmraz, zmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.14-10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:19:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch none

Description Karel Zak 2008-10-16 11:53:43 UTC 
login(1) strace (executed by telned):

Program received signal SIGSEGV, Segmentation fault.
0x00000030ec877bc0 in strchr () from /lib64/libc.so.6
(gdb) bt
#0  0x00000030ec877bc0 in strchr () from /lib64/libc.so.6
#1  0x00002abe68b19212 in misc_conv () from /lib64/security/pam_krb5.so
#2  0x00002abe68b19665 in pam_sm_authenticate () from /lib64/security/pam_krb5.so
#3  0x00000030efc02dc7 in _pam_dispatch () from /lib64/libpam.so.0
#4  0x00000030efc026d2 in pam_authenticate () from /lib64/libpam.so.0
#5  0x0000000000403231 in main (argc=<value optimized out>, argv=<value optimized out>) at login.c:589


pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

reproduce by:

1. enable telnetd (/etc/xinetd.d/telnet), 
2. telnet localhost
3. ps aux | grep telnet on a different console, and strace/gdb <pid>
4. (at telnet session) press CTRL+D 3 or 4 times, 
    until you terminate the login session
Comment 1 Tomas Mraz 2008-10-16 13:51:02 UTC 
Better backtrace with correct pam_krb5-debuginfo points at pam_krb5 as the culprit:

Program received signal SIGSEGV, Segmentation fault.
0x00000030ec877bc0 in strchr () from /lib64/libc.so.6
(gdb) bt
#0  0x00000030ec877bc0 in strchr () from /lib64/libc.so.6
#1  0x00002b205170d212 in _pam_krb5_user_info_init (ctx=0x7bbba30, name=0x0, 
    realm=0x8612b80 "REDHAT.COM", check_user=1, num_mappings=0, mappings=0x0)
    at userinfo.c:187
#2  0x00002b205170d665 in pam_sm_authenticate (pamh=0x7bad130, flags=0, 
    argc=1, argv=0x7bb19d0) at auth.c:117
#3  0x00000030efc02dc7 in _pam_dispatch (pamh=0x7bad130, flags=0, choice=1)
    at pam_dispatch.c:83
#4  0x00000030efc026d2 in pam_authenticate (pamh=0x7bad130, flags=0)
    at pam_auth.c:34
#5  0x00000000004031a3 in main (argc=<value optimized out>, 
    argv=<value optimized out>) at login.c:585
#6  0x00000030ec81d8b4 in __libc_start_main (main=0x402a90 <main>, argc=4, 
    ubp_av=0x7fff5a07bec8, init=<value optimized out>, 
    fini=<value optimized out>, rtld_fini=<value optimized out>, 
    stack_end=0x7fff5a07beb8) at libc-start.c:231
#7  0x00000000004024d9 in _start ()

rpm -q pam_krb5
pam_krb5-2.2.14-1.el5_2.1.x86_64
Comment 2 Nalin Dahyabhai 2008-10-16 18:13:55 UTC 
It looks like pam_get_user() returned NULL for the user name (from misc_conv, I guess) with a successful result code.  Is it allowed to do that?
Comment 3 Tomas Mraz 2008-10-16 18:44:30 UTC 
That's a tricky question I'd say that this is unspecified and that means that third party (non Linux-PAM) modules rather should be able to handle NULL user name even when pam_get_user returns success. On the other hand the current pam library in Fedora always returns error in case the conversation returned NULL data and that differs from the RHEL-5 version of PAM and older.
Comment 4 Nalin Dahyabhai 2008-10-16 21:32:44 UTC 
I really doubt that this expectation is specific to pam_krb5, but we can certainly make the change there to get around it.
Comment 5 Nalin Dahyabhai 2008-10-27 15:33:02 UTC 
Created attachment 321620 [details]
proposed patch
Comment 6 Zbysek MRAZ 2008-11-03 18:12:12 UTC 
Setting QA_ack

Better QA steps to reproduce.
1, enable krb5 autentificaion in the system
2, enable telnet
3, login with telnet not using root ID and hitting Ctrl+D for the password
4, trace the 'login' process PID where telnetd is its parent
5, Keep hitting Ctrl+D on client until terminate
Comment 12 errata-xmlrpc 2009-01-20 21:19:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0135.html