Bug 560532 - Race condition in libsasl in multi threaded applications
Race condition in libsasl in multi threaded applications
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
5.4
All Linux
urgent Severity high
: rc
: ---
Assigned To: Petr Lautrbach
BaseOS QE Security Team
: ZStream
Depends On:
Blocks: 559430 566875 568084 577770
  Show dependency treegraph
 
Reported: 2010-01-31 21:32 EST by Jatin Nansi
Modified: 2013-09-23 07:00 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 566875 577770 (view as bug list)
Environment:
Last Closed: 2013-09-23 07:00:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (409 bytes, patch)
2010-01-31 21:33 EST, Jatin Nansi
no flags Details | Diff

  None (edit)
Description Jatin Nansi 2010-01-31 21:32:45 EST
Description of problem:
This bug blocks the autofs BZ #559430 (IT #366017). Please see that bug/IT for details about the test case, reproducer, etc.

The cyrus-sasl has a source code which disposes a sasl's connection
information. On the following source code, "pconn" is the information.
Because the "pconn" is used by multi-threads, under certain conditions sasl_dispose returns without unlocking the mutex.

--cyrus-sasl-2.1.22/lib/common.c(Original source)
  781|/* dispose connection state, sets it to NULL
  782| *  checks for pointer to NULL
  783| */
  784|void sasl_dispose(sasl_conn_t **pconn)
  785|{
  786|  int result;
  787|
  788|  if (! pconn) return;
  789|  if (! *pconn) return;  <---#1
  790|
  791|  /* serialize disposes. this is necessary because we can't
  792|     dispose of conn->mutex if someone else is locked on it */
  793|  result = sasl_MUTEX_LOCK(free_mutex);  <---#2
  794|  if (result!=SASL_OK) return;
  795|  
  796|  /* *pconn might have become NULL by now */
  797|  if (! (*pconn)) return;   <---#3
  798|
  799|  (*pconn)->destroy_conn(*pconn);
  800|  sasl_FREE(*pconn);
  801|  *pconn=NULL;
  802|
  803|  sasl_MUTEX_UNLOCK(free_mutex);
  804|}
  805|

On the above source, there is a case that the mutex's lock isn't
released.
Because the part of #1 is the same as the part of #3, a process doesn't
usually return at the part of #3. However, the process returns at the part of #3 just when "*pconn" is changed to NULL from another thread at the part of #2.
If the process returns at the part of #3, the mutex's lock isn't released.

We fixed the code so that the mutex's lock is released even if the process returns at the part of #3.

-----
   /* *pconn might have become NULL by now */
-  if (! (*pconn)) return;
+  if (! (*pconn))
+  {
+        sasl_MUTEX_UNLOCK(free_mutex);
+        return;
+  }

   (*pconn)->destroy_conn(*pconn);
   sasl_FREE(*pconn);
------


Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.22-5.el5

How reproducible:
When autofs is under high load.

Steps to Reproduce:
See BZ #559430
  
Actual results:
The automount aborts when it authenticates by DIGEST-MD5.

Expected results:
Automount should not abort.

Additional info:
Comment 1 Jatin Nansi 2010-01-31 21:33:46 EST
Created attachment 387961 [details]
proposed patch
Comment 2 Ian Kent 2010-02-04 00:33:19 EST
Setting priority to high as I believe this is a high impact
customer issue.

Note You need to log in before you can comment on or make changes to this bug.