RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1674501 - mod_auth_gssapi: test failure due to wrong int sizing
Summary: mod_auth_gssapi: test failure due to wrong int sizing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: mod_auth_gssapi
Version: 8.0
Hardware: s390x
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Robbie Harwood
QA Contact: anuja
URL: https://github.com/modauthgssapi/mod_...
Whiteboard:
Depends On: 1678872 1682259 1690074
Blocks: 1678873 1701002
TreeView+ depends on / blocked
 
Reported: 2019-02-11 13:39 UTC by Branislav Náter
Modified: 2020-11-14 12:10 UTC (History)
6 users (show)

Fixed In Version: mod_auth_gssapi-1.6.1-5.el8
Doc Type: Bug Fix
Doc Text:
Cause: Integer size mismatch in apache call Consequence: GssapiPublishErrors wasn't properly initialized on s390x, so it was always treated as off. Fix: Correct int sizing Result: s390x behaves as expected.
Clone Of:
: 1678872 1678873 (view as bug list)
Environment:
Last Closed: 2019-11-05 20:41:33 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
test console logs (21.69 KB, text/plain)
2019-07-09 02:50 UTC, anuja 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3324 0 None None None 2019-11-05 20:41:36 UTC

Description Branislav Náter 2019-02-11 13:39:20 UTC 
Description of problem:
Upstream test suite, namely "BASIC Fail Second User" test is failing on s390x. No failures appear on x86_64, aarch64 or ppc64le.

Version-Release number of selected component (if applicable):
mod_auth_gssapi-1.6.1-2.el8.s390x

Steps to Reproduce:
1. # /usr/bin/python2 tests/magtests.py --so-dir /usr/lib64/httpd/modules/
/tmp/tmp.LxRAoKX8eR/BUILD/mod_auth_gssapi-1.6.1/scratchdir/key.pem
SPNEGO: SUCCESS
SPNEGO Proxy Auth: SUCCESS
SPNEGO No Auth: SUCCESS
SPNEGO Rewrite: SUCCESS
SPNEGO Negotiate Once: SUCCESS
HOSTNAME ACCEPTOR: SUCCESS
BAD ACCEPTOR: SUCCESS
Required Name Attr: SUCCESS
BASIC-AUTH: SUCCESS
BASIC-AUTH Two Users: SUCCESS
BASIC Fail Second User: FAILED
BASIC Proxy Auth: SUCCESS
NO Negotiate: SUCCESS

Additional info:
# cat scratchdir/tests.log 
Traceback (most recent call last):
  File "tests/t_hostname_acceptor.py", line 15, in <module>
    raise ValueError('Hostname-based acceptor failed')
ValueError: Hostname-based acceptor failed
Traceback (most recent call last):
  File "tests/t_bad_acceptor_name.py", line 14, in <module>
    raise ValueError('Bad Acceptor Name failed')
ValueError: Bad Acceptor Name failed
Traceback (most recent call last):
  File "tests/t_basic_k5_fail_second.py", line 27, in <module>
    raise ValueError('Basic Auth: Expected error variable is missing')
ValueError: Basic Auth: Expected error variable is missing
Killing KDC(52201)
Killing HTTPD(52202)
Comment 1 Robbie Harwood 2019-02-11 16:41:57 UTC 
I do not have s390x hardware.  Could you please give me access to a machine which reproduces this failure if you would like it investigated?
Comment 4 Robbie Harwood 2019-02-12 17:49:01 UTC 
Thanks Branislav.

What's happening here is that httpd doesn't seem to be setting one of our command variables correctly: GssapiPublishErrors, which gets loaded into cfg->enverrs.  (This causes the error strings to not be included in the HTTP response, which breaks the test suite; you can still see them in httpd's error_log.)  cfg->envvars is read-only from the perspective of mod_auth_gssapi; we expect httpd to fill it in.  On x86_64 (and I assume all other architectures, since the test suite passes there), this variable is set correctly, and we behave as expected.

Reproducing can use QE's tests or our upstream tests.  I've been setting `-X` on httpd's launch to make attaching gdb easier, but this doesn't seem to change behavior either way.  Our command table is at src/mod_auth_gssapi.c:1827; the check in question is located in mag_post_error() at src/mod_auth_gssapi.c:118, and for this test comes from mag_basic_auth() at src/mod_auth_gssapi.c:610.

Accordingly, this is reassigned to httpd.
Comment 5 Joe Orton 2019-02-19 08:56:48 UTC 
mod_auth_gssapi is using:

    AP_INIT_FLAG("GssapiPublishErrors", ap_set_flag_slot,
                 (void *)APR_OFFSETOF(struct mag_config, enverrs), OR_AUTHCFG,
                 "Publish GSSAPI Errors in Envionment Variables"),

but enverrs is a bool:

    bool enverrs;

ap_set_flag_slot() requires a variable with sizeof(int) whereas it looks like sizeof(bool) is not fixed by C99, only "big enough to store one bit".  On x86_64 sizeof(bool) is sizeof(char) anyway, so it's broken everywhere.

The simplest fix would be to change envvers to type int.
Comment 6 Joe Orton 2019-02-19 09:04:39 UTC 
The other use of ap_set_flag_slot in this module:

    AP_INIT_FLAG("GssapiImpersonate", ap_set_flag_slot,
          (void *)APR_OFFSETOF(struct mag_config, s4u2self), OR_AUTHCFG,
               "Do impersonation call (S4U2Self) "
               "based on already authentication username"),

also has the same problem; using either these directives may be splatting over other config fields in nasty ways depending on the struct padding.
Comment 7 Robbie Harwood 2019-02-19 18:59:07 UTC 
Thanks Joe.  Posted fix upstream.
Comment 12 anuja 2019-07-09 02:38:14 UTC 
Verified using:
mod_auth_gssapi-1.6.1-6.el8.s390x

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 01:52:55 ] :: [  BEGIN   ] :: Running upstream test suite :: actually running '/usr/bin/python2 tests/magtests.py --so-dir /usr/lib64/httpd/modules/'
SPNEGO: SUCCESS
SPNEGO Proxy Auth: SUCCESS
SPNEGO No Auth: SUCCESS
SPNEGO Rewrite: SUCCESS
SPNEGO Negotiate Once: SUCCESS
HOSTNAME ACCEPTOR: SUCCESS
BAD ACCEPTOR: SUCCESS
Required Name Attr: SUCCESS
BASIC-AUTH: SUCCESS
BASIC-AUTH Two Users: SUCCESS
BASIC Fail Second User: SUCCESS
BASIC Proxy Auth: SUCCESS
NO Negotiate: SUCCESS
:: [ 01:53:06 ] :: [   PASS   ] :: Running upstream test suite (Expected 0, got 0)
:: [ 01:53:06 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.lFqUvHqs' should contain 'SUCCESS'
:: [ 01:53:06 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.lFqUvHqs' should not contain 'FAILED'
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 11s
::   Assertions: 3 good, 0 bad
::   RESULT: PASS (Test)

As per comment #0
Test {BASIC Fail Second User: } is not failed on latest version.

Based on this marking bz as verified.
Comment 13 anuja 2019-07-09 02:50:01 UTC 
Created attachment 1588607 [details]
test console logs
Comment 15 errata-xmlrpc 2019-11-05 20:41:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3324
Note You need to log in before you can comment on or make changes to this bug.