Bug 560532 - Race condition in libsasl in multi threaded applications
Summary: Race condition in libsasl in multi threaded applications
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl
Version: 5.4
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 559430 566875 568084 577770
TreeView+ depends on / blocked
 
Reported: 2010-02-01 02:32 UTC by Jatin Nansi
Modified: 2018-10-27 14:17 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 566875 577770 (view as bug list)
Environment:
Last Closed: 2013-09-23 11:00:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch (409 bytes, patch)
2010-02-01 02:33 UTC, Jatin Nansi 		no flags Details | Diff
View All

Description Jatin Nansi 2010-02-01 02:32:45 UTC 
Description of problem:
This bug blocks the autofs BZ #559430 (IT #366017). Please see that bug/IT for details about the test case, reproducer, etc.

The cyrus-sasl has a source code which disposes a sasl's connection
information. On the following source code, "pconn" is the information.
Because the "pconn" is used by multi-threads, under certain conditions sasl_dispose returns without unlocking the mutex.

--cyrus-sasl-2.1.22/lib/common.c(Original source)
  781|/* dispose connection state, sets it to NULL
  782| *  checks for pointer to NULL
  783| */
  784|void sasl_dispose(sasl_conn_t **pconn)
  785|{
  786|  int result;
  787|
  788|  if (! pconn) return;
  789|  if (! *pconn) return;  <---#1
  790|
  791|  /* serialize disposes. this is necessary because we can't
  792|     dispose of conn->mutex if someone else is locked on it */
  793|  result = sasl_MUTEX_LOCK(free_mutex);  <---#2
  794|  if (result!=SASL_OK) return;
  795|  
  796|  /* *pconn might have become NULL by now */
  797|  if (! (*pconn)) return;   <---#3
  798|
  799|  (*pconn)->destroy_conn(*pconn);
  800|  sasl_FREE(*pconn);
  801|  *pconn=NULL;
  802|
  803|  sasl_MUTEX_UNLOCK(free_mutex);
  804|}
  805|

On the above source, there is a case that the mutex's lock isn't
released.
Because the part of #1 is the same as the part of #3, a process doesn't
usually return at the part of #3. However, the process returns at the part of #3 just when "*pconn" is changed to NULL from another thread at the part of #2.
If the process returns at the part of #3, the mutex's lock isn't released.

We fixed the code so that the mutex's lock is released even if the process returns at the part of #3.

-----
   /* *pconn might have become NULL by now */
-  if (! (*pconn)) return;
+  if (! (*pconn))
+  {
+        sasl_MUTEX_UNLOCK(free_mutex);
+        return;
+  }

   (*pconn)->destroy_conn(*pconn);
   sasl_FREE(*pconn);
------


Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.22-5.el5

How reproducible:
When autofs is under high load.

Steps to Reproduce:
See BZ #559430
  
Actual results:
The automount aborts when it authenticates by DIGEST-MD5.

Expected results:
Automount should not abort.

Additional info:
Comment 1 Jatin Nansi 2010-02-01 02:33:46 UTC 
Created attachment 387961 [details]
proposed patch
Comment 2 Ian Kent 2010-02-04 05:33:19 UTC 
Setting priority to high as I believe this is a high impact
customer issue.
Note You need to log in before you can comment on or make changes to this bug.