Bug 679557

Summary: PyPAM-0.5.0-3el5sat segfault when authenticating or registering clients on Satellite using users stored in Active Directory
Product: Red Hat Satellite 5 Reporter: Marcelo Moreira de Mello <mmello>
Component: UsabilityAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED ERRATA QA Contact: Tomas Lestach <tlestach>
Severity: medium Docs Contact:
Priority: medium    
Version: 540CC: cperry, gbock, jhutar, jpazdziora, mmello, msuchy, tlestach, tmraz, xdmoon
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: PyPAM-0.5.0-11.1.el5sat Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 679714 (view as bug list) Environment:
Last Closed: 2011-06-17 02:45:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 677501    
Attachments:
Description Flags
PyPAM-0.5.0-nofree.patch
none
PyPAM-0.5.0-dealloc.patch
none
Correct patch with proper deallocation in the error condition none

Description Marcelo Moreira de Mello 2011-02-22 20:45:48 UTC 
Description of problem:

When using package provided in Satellite 5.4 PyPAM-0.5.0-3el5sat and registering clients using users stored in Active Directory (Samba + Winbind), httpd process dies with a segfault error. 

[Tue Jan 11 13:15:08 2011] [notice] child pid 25658 exit signal Segmentation fault (11)
[Tue Jan 11 13:15:13 2011] [notice] child pid 28084 exit signal Segmentation fault (11)
[Tue Jan 11 13:15:19 2011] [notice] child pid 27209 exit signal Segmentation fault (11)
[Tue Jan 11 13:15:24 2011] [notice] child pid 27213 exit signal Segmentation fault (11)
Tue Jan 11 13:15:30 2011] [notice] child pid 27210 exit signal Segmentation fault (11)

Analysing the core file, we can observe the follow error: 


Program terminated with signal 11, Segmentation fault.
#0  0x00002b13bbbb488e in free () from /lib64/libc.so.6
(gdb) bt
#0  0x00002b13bbbb488e in free () from /lib64/libc.so.6
#1  0x00002b13d6bacdf0 in PyPAM_conv (num_msg=1, msg=0x7fff66806ef0, resp=0x7fff66806f10, appdata_ptr=0x2b13d6b0e330) at PAMmodule.c:59
#2  0x00002b13d73e3863 in ?? () from /lib64/security/pam_winbind.so
#3  0x00002b13d73e438d in ?? () from /lib64/security/pam_winbind.so
#4  0x00002b13d73e693c in pam_sm_authenticate () from /lib64/security/pam_winbind.so
#5  0x00002b13d6dbddc7 in _pam_dispatch () from /lib64/libpam.so.0
#6  0x00002b13d6dbd6d2 in pam_authenticate () from /lib64/libpam.so.0
#7  0x00002b13d6bad2d7 in PyPAM_authenticate (self=0x2b13d6b0e330, args=<value optimized out>) at PAMmodule.c:215


Looks like the free from the loop is what is causing issues:

    if (NULL != self->response_data) {
        for (int i = 0; i < self->response_len; i++) {
            free(self->response_data[0].resp);
        }
        free(self->response_data);
        self->response_data = NULL;
        self->response_len = 0;
    }

Version-Release number of selected component (if applicable):
Red Hat Network Satellite 5.4

How reproducible:
100%

Steps to Reproduce:
1. Configure Satellite to authenticate against AD using Samba + Winbind 
2. Set the pam environment

   /etc/pam.d/rhn-satellite

#%PAM-1.0
auth required /lib64/security/pam_winbind.so
auth sufficient /lib64/security/pam_winbind.so
auth required /lib64/security/pam_deny.so
account required /lib64/security/pam_winbind.so

3. Try to register a client
  
Actual results:

httpd segfault

Expected results:

register works properly 


Additional Info: 

If the PyPAM is downgrade to version shipped in Red Hat Network Satellite 5.3, the segfault does not happen.
Comment 2 Marcelo Moreira de Mello 2011-02-22 20:58:36 UTC 
Created attachment 480248 [details]
PyPAM-0.5.0-nofree.patch

Hello, 

We created a **TEST** package to customer backporting 2 fixes: 

   * Tue Feb 22 2011 Marcelo Moreira de Mello <mmello> 0.5.0-9.SFDC.00401329.TEST
- backport fix PyPAM-0.5.0-nofree.patch

 * Tue Feb 22 2011 Miroslav Suchý <msuchy> 0.5.0-8
- 658955 - fix two bugs in the PAM object deallocation
- add -fno-strict-aliasing to CFLAGS

The backport patches files are attached on the case. 

Kind Regards, 
Marcelo Moreira de Mello
Comment 3 Marcelo Moreira de Mello 2011-02-22 20:59:25 UTC 
Created attachment 480249 [details]
PyPAM-0.5.0-dealloc.patch


Including PyPAM-0.5.0-dealloc.patch backport fix.
Comment 6 Marcelo Moreira de Mello 2011-02-22 21:04:27 UTC 
Hello, 

TEST package PyPAM-0.5.0-9.SFDC.00401329.TEST.el5sat.x86_64.rpm sent to customer. 

We are waiting customer's feedback. In our labs, the issue were fixed. 

Kind Regards, 
Marcelo Moreira de Mello
Comment 7 Marcelo Moreira de Mello 2011-02-22 21:07:38 UTC 
Hello, 

Customer confirmed that package worked: "Verified that the 0.5.0-9 build no longer segfaults for rhnreg_ks"

Kind Regards, 
Marcelo Moreira de Mello
Comment 8 Greg Bock 2011-02-22 21:17:47 UTC 
Other test cases were failures to push configs from the rhnproxy command line installer. I currently don't have enough entitlements to retest.
Comment 9 Greg Bock 2011-02-23 01:01:46 UTC 
After a bit more digging it seems you can work around the original issue by adding an auth option that will fail (I used pam_unix in the test case):

[pam.d]$ cat rhn-satellite
#%PAM-1.0

auth    sufficient      /lib64/security/$ISA/pam_unix.so likeauth nullok
auth    required        /lib64/security/$ISA/pam_winbind.so use_first_pass
auth    sufficient      /lib64/security/$ISA/pam_winbind.so use_first_pass
auth    required        /lib64/security/$ISA/pam_deny.so
account required        /lib64/security/$ISA/pam_winbind.so


I doubt this is directly related to winbind or AD.
Comment 10 Tomas Mraz 2011-02-23 10:05:46 UTC 
Created attachment 480399 [details]
Correct patch with proper deallocation in the error condition

Please test with this patch. Although to test the deallocation an error in the conversation function in the response must be done.
Comment 11 Miroslav Suchý 2011-02-23 15:06:21 UTC 
Fixed in Fedora and Epel in BZ 679714. Will be fixed in RHEL6.1.
Comment 12 Greg Bock 2011-02-23 15:46:44 UTC 
This appears to be working properly now.
Comment 15 Jan Pazdziora 2011-04-07 12:00:00 UTC 
Taking.
Comment 16 Jan Pazdziora 2011-04-07 13:00:15 UTC 
We've rebased to PyPAM-0.5.0-11 from RHEL 5 EPEL which is equivalent to PyPAM-0.5.0-12 from RHEL 6.1.

Tagged and built as PyPAM-0.5.0-11.1.el5sat.
Comment 17 Greg Bock 2011-04-07 13:10:47 UTC 
Any idea when this will hit GA?
Comment 18 Clifford Perry 2011-04-07 15:10:07 UTC 
It is aligned to the Satellite 5.4.1 Blocker bugfix. As such, it is part of the 5.4.1 release. Release dates are not posted in public, please contact Red Hat Support or your account sales rep to verify NDA agreements for the account before information such as release dates to be provided. 

Regards,
Clifford
Comment 20 Tomas Lestach 2011-05-19 15:20:57 UTC 
Setting Customer VERIFIED.
Comment 24 Clifford Perry 2011-06-17 02:45:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html