Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 560532

Summary: Race condition in libsasl in multi threaded applications
Product: Red Hat Enterprise Linux 5 Reporter: Jatin Nansi <jnansi>
Component: cyrus-saslAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 5.4CC: ikent, jnansi, jwest, mvadkert, plyons, sgrubb, tao
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 566875 577770 (view as bug list) Environment:
Last Closed: 2013-09-23 11:00:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 559430, 566875, 568084, 577770    
Attachments:
Description Flags
proposed patch none

Description Jatin Nansi 2010-02-01 02:32:45 UTC 
Description of problem:
This bug blocks the autofs BZ #559430 (IT #366017). Please see that bug/IT for details about the test case, reproducer, etc.

The cyrus-sasl has a source code which disposes a sasl's connection
information. On the following source code, "pconn" is the information.
Because the "pconn" is used by multi-threads, under certain conditions sasl_dispose returns without unlocking the mutex.

--cyrus-sasl-2.1.22/lib/common.c(Original source)
  781|/* dispose connection state, sets it to NULL
  782| *  checks for pointer to NULL
  783| */
  784|void sasl_dispose(sasl_conn_t **pconn)
  785|{
  786|  int result;
  787|
  788|  if (! pconn) return;
  789|  if (! *pconn) return;  <---#1
  790|
  791|  /* serialize disposes. this is necessary because we can't
  792|     dispose of conn->mutex if someone else is locked on it */
  793|  result = sasl_MUTEX_LOCK(free_mutex);  <---#2
  794|  if (result!=SASL_OK) return;
  795|  
  796|  /* *pconn might have become NULL by now */
  797|  if (! (*pconn)) return;   <---#3
  798|
  799|  (*pconn)->destroy_conn(*pconn);
  800|  sasl_FREE(*pconn);
  801|  *pconn=NULL;
  802|
  803|  sasl_MUTEX_UNLOCK(free_mutex);
  804|}
  805|

On the above source, there is a case that the mutex's lock isn't
released.
Because the part of #1 is the same as the part of #3, a process doesn't
usually return at the part of #3. However, the process returns at the part of #3 just when "*pconn" is changed to NULL from another thread at the part of #2.
If the process returns at the part of #3, the mutex's lock isn't released.

We fixed the code so that the mutex's lock is released even if the process returns at the part of #3.

-----
   /* *pconn might have become NULL by now */
-  if (! (*pconn)) return;
+  if (! (*pconn))
+  {
+        sasl_MUTEX_UNLOCK(free_mutex);
+        return;
+  }

   (*pconn)->destroy_conn(*pconn);
   sasl_FREE(*pconn);
------


Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.22-5.el5

How reproducible:
When autofs is under high load.

Steps to Reproduce:
See BZ #559430
  
Actual results:
The automount aborts when it authenticates by DIGEST-MD5.

Expected results:
Automount should not abort.

Additional info:
Comment 1 Jatin Nansi 2010-02-01 02:33:46 UTC 
Created attachment 387961 [details]
proposed patch
Comment 2 Ian Kent 2010-02-04 05:33:19 UTC 
Setting priority to high as I believe this is a high impact
customer issue.