Bug 1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder
KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets...
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Amith
Aneta Šteflová Petrová
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-12 08:15 EDT by Jakub Hrozek
Modified: 2017-08-14 05:58 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
The *sssd-secrets* component crashes when it is under load When the *sssd-secrets* component receives many requests, the situation triggers a bug in the Network Security Services (NSS) library that causes *sssd-secrets* to terminate unexpectedly. However, the *systemd* service restarts *sssd-secrets* for the next request, which means that the denial of service is only temporary.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2017-06-12 08:15:58 EDT
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3424

Currently the NSS library is fully initialized and torn down on each secrets storage. Eventually, this triggers a segfault with a backtrace pointing to NSS.

This is probably a NSS bug, but we're not making it any easier on us by calling setup and teardown of NSS on each encrypt. We should just remove the cleanup totally or clean up on responder shutdown.

To reproduce:
1. configure sssd+kcm
2. kinit repeatedly, after several thousand tries, sssd-secrets segfaults
Comment 5 Lukas Slebodnik 2017-07-25 05:54:09 EDT
master:
* a6f606117e5cfe64c4b49f94e514bf82054716d3
Comment 6 Jakub Hrozek 2017-08-10 14:26:51 EDT
To reproduce and verify: see comment #0.

Note You need to log in before you can comment on or make changes to this bug.