Red Hat Bugzilla – Bug 467208
SIGSEGV on CTRL+D
Last modified: 2009-01-20 16:19:46 EST
login(1) strace (executed by telned): Program received signal SIGSEGV, Segmentation fault. 0x00000030ec877bc0 in strchr () from /lib64/libc.so.6 (gdb) bt #0 0x00000030ec877bc0 in strchr () from /lib64/libc.so.6 #1 0x00002abe68b19212 in misc_conv () from /lib64/security/pam_krb5.so #2 0x00002abe68b19665 in pam_sm_authenticate () from /lib64/security/pam_krb5.so #3 0x00000030efc02dc7 in _pam_dispatch () from /lib64/libpam.so.0 #4 0x00000030efc026d2 in pam_authenticate () from /lib64/libpam.so.0 #5 0x0000000000403231 in main (argc=<value optimized out>, argv=<value optimized out>) at login.c:589 pam.d/system-auth: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so reproduce by: 1. enable telnetd (/etc/xinetd.d/telnet), 2. telnet localhost 3. ps aux | grep telnet on a different console, and strace/gdb <pid> 4. (at telnet session) press CTRL+D 3 or 4 times, until you terminate the login session
Better backtrace with correct pam_krb5-debuginfo points at pam_krb5 as the culprit: Program received signal SIGSEGV, Segmentation fault. 0x00000030ec877bc0 in strchr () from /lib64/libc.so.6 (gdb) bt #0 0x00000030ec877bc0 in strchr () from /lib64/libc.so.6 #1 0x00002b205170d212 in _pam_krb5_user_info_init (ctx=0x7bbba30, name=0x0, realm=0x8612b80 "REDHAT.COM", check_user=1, num_mappings=0, mappings=0x0) at userinfo.c:187 #2 0x00002b205170d665 in pam_sm_authenticate (pamh=0x7bad130, flags=0, argc=1, argv=0x7bb19d0) at auth.c:117 #3 0x00000030efc02dc7 in _pam_dispatch (pamh=0x7bad130, flags=0, choice=1) at pam_dispatch.c:83 #4 0x00000030efc026d2 in pam_authenticate (pamh=0x7bad130, flags=0) at pam_auth.c:34 #5 0x00000000004031a3 in main (argc=<value optimized out>, argv=<value optimized out>) at login.c:585 #6 0x00000030ec81d8b4 in __libc_start_main (main=0x402a90 <main>, argc=4, ubp_av=0x7fff5a07bec8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff5a07beb8) at libc-start.c:231 #7 0x00000000004024d9 in _start () rpm -q pam_krb5 pam_krb5-2.2.14-1.el5_2.1.x86_64
It looks like pam_get_user() returned NULL for the user name (from misc_conv, I guess) with a successful result code. Is it allowed to do that?
That's a tricky question I'd say that this is unspecified and that means that third party (non Linux-PAM) modules rather should be able to handle NULL user name even when pam_get_user returns success. On the other hand the current pam library in Fedora always returns error in case the conversation returned NULL data and that differs from the RHEL-5 version of PAM and older.
I really doubt that this expectation is specific to pam_krb5, but we can certainly make the change there to get around it.
Created attachment 321620 [details] proposed patch
Setting QA_ack Better QA steps to reproduce. 1, enable krb5 autentificaion in the system 2, enable telnet 3, login with telnet not using root ID and hitting Ctrl+D for the password 4, trace the 'login' process PID where telnetd is its parent 5, Keep hitting Ctrl+D on client until terminate
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0135.html