RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 722616 - rpc.gssd occasional segfault
Summary: rpc.gssd occasional segfault
Keywords:
Status: CLOSED DUPLICATE of bug 720479
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nfs-utils
Version: 6.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: yanfu,wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-15 21:17 UTC by Steven Leikeim
Modified: 2011-08-17 12:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-17 12:55:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Steven Leikeim 2011-07-15 21:17:32 UTC 
Description of problem:

On first access (triggered from nfs.mount) rpc.gssd is occasionally observered to segfault.

Version-Release number of selected component (if applicable):

rpc.gssd from nfs-utils-1.2.3-7

How reproducible:

Can occur when attempting to mount an NFS filesystem with option "sec=krb5". If the first request through rpc.gssd succeeds, then no segfaults have been observed. Segfaults have only be observed on the first call through rpc.gssd.

Steps to Reproduce:
1. Start rpc.gssd
2. Attempt NFS mount with option "sec=krb5"
3.
  
Actual results:

Occasional segfault.

Expected results:

No segfault.

Additional info:

On looking at the SRPM for nfs-utils-1.2.3-7 to determinee why rpc.gssd was not functioning correctly for us, a problem was noticed in the way credentials data structures are being used.

In the function limit_krb5_enctypes (file utils/gssd/krb5_util.c:1288) calls are made to gss_acquire_cred (line 1304) and gss_set_allowable_enctypes (lines 1320 & 1323) using credh. These 2 functions are using different and incompatable definitions for this structure.

In gss_acquire_cred from krb5-1.9-9 (file src/lib/gssapi/mechglue/g_acquire_cred.c:87) the structure returned to credh (above) is of type gss_union_cred_t and has the following definition in lib/gssapi/mechglue/mglueP.h (line 71):

    /*
     * Set of Credentials typed on mechanism OID
     */
    typedef struct gss_cred_id_struct {
            struct gss_cred_id_struct *loopback;
            int                     count;
            gss_OID                 mechs_array;
            gss_cred_id_t           *cred_array;
            gss_union_cred_auxinfo  auxinfo;
    } gss_union_cred_desc, *gss_union_cred_t;

In gss_set_allowable_enctypes from libgssglue-0.1-11 (g_set_allowable_enctypes.c:37) the following definition is used to access the structure (from src/mglueP.h:51 in libgssglue-0.1-11):

    /*
     * Set of Credentials typed on mechanism OID
     */
    typedef struct gss_union_cred_t {
            int                     count;
            gss_OID                 mechs_array;
            gss_cred_id_t *         cred_array;
            gss_union_cred_auxinfo  auxinfo;
    } gss_union_cred_desc, *gss_union_cred_t;

As these structures are not aligned with each other, segfaults can (and appear to) occur. In any case, incorrect data will be accessed by gss_set_allowable_enctypes. This may affect other functions and uses of these credentials.
Comment 2 Jonathan Underwood 2011-08-03 14:35:48 UTC 
Just a "me too" - reproduced on a rhel 6.1 system.
Comment 3 Steve Dickson 2011-08-11 21:58:37 UTC 
Would it be possible to get a backtrace of the problem?
Comment 4 Christian Cier 2011-08-12 13:30:34 UTC 
Same issue on SL6.1.

Name        : nfs-utils
Arch        : i686
Epoch       : 1
Version     : 1.2.3
Release     : 7.el6

Name        : libgssglue
Arch        : i686
Version     : 0.1
Release     : 11.el6

Backtrace:
==========

#0  0xb7e4be06 in __gss_get_mechanism_cred (union_cred=0x127138, mech_type=0x120424) at g_glue.c:295
#1  0xb7e4ec17 in gss_set_allowable_enctypes (minor_status=0xbfffef2c, cred_handle=0x127138, mech_type=0x120424, num_ktypes=7, ktypes=0x126ff8) at g_set_allowable_enctypes.c:68
#2  0x00116ce8 in limit_krb5_enctypes (sec=0xbfffefac) at krb5_util.c:1349
#3  0x001148dc in create_auth_rpc_client (clp=0x1266a8, clnt_return=0xbffff46c, auth_return=0xbffff468, uid=0, authtype=0) at gssd_proc.c:862
#4  0x001160e9 in process_krb5_upcall (clp=<value optimized out>, uid=0, fd=15, tgtname=0x0, service=0x0) at gssd_proc.c:1039
#5  0x00116b93 in handle_gssd_upcall (clp=0x1266a8) at gssd_proc.c:1294
#6  0x00114466 in scan_poll_results () at gssd_main_loop.c:84
#7  gssd_run () at gssd_main_loop.c:232
#8  0x00113e89 in main (argc=2, argv=0xbffff744) at gssd.c:187

-------

Error output from rpc.gssd -fvvv:
=================================
beginning poll
dir_notify_handler: sig 37 si 0xbff2c5ac data 0xbff2c62c
dir_notify_handler: sig 37 si 0xbff2818c data 0xbff2820c
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt32)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt32)
process_krb5_upcall: service is '<null>'
Full hostname for 'host.example.com' is 'host.example.com'
Full hostname for 'host.example.com' is 'host.example.com'
No key table entry found for HOST.EXAMPLE.COM$@EXAMPLE.COM while getting keytab entry for 'HOST.EXAMPLE.COM$@EXAMPLE.COM'
No key table entry found for root/host.example.com while getting keytab entry for 'root/host.example.com'
Success getting keytab entry for 'nfs/host.example.com'
Successfully obtained machine credentials for principal 'nfs/host.example.com' stored in ccache 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1313242027
using FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_EXAMPLE.COM
creating context using fsuid 0 (save_uid 0)
Segmentation fault
Comment 5 Steve Dickson 2011-08-12 14:29:31 UTC 
(In reply to comment #4)
> Same issue on SL6.1.
> 
> Name        : nfs-utils
> Arch        : i686
> Epoch       : 1
> Version     : 1.2.3
> Release     : 7.el6
> 
> Name        : libgssglue
> Arch        : i686
> Version     : 0.1
> Release     : 11.el6
> 
> Backtrace:
> ==========
> 
> #0  0xb7e4be06 in __gss_get_mechanism_cred (union_cred=0x127138,
> mech_type=0x120424) at g_glue.c:295
Would be possible to dump the contents of both the union_cred
and mech_type structures?
Comment 6 Christian Cier 2011-08-12 15:03:04 UTC 
I am not very familiar with dumping/printing those nested structs/arrays in gdb. If you need further details, please tell me the gdb commands to enter.

Program received signal SIGSEGV, Segmentation fault.
0xb7e4be06 in __gss_get_mechanism_cred (union_cred=0x127138, mech_type=0x120424) at g_glue.c:295
295             if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))


union_cred:
===========
(gdb) p (struct gss_union_cred_t) *0x127138
$12 = {count = 1208632, mechs_array = 0x1, cred_array = 0x1270e8, auxinfo = {name = {length = 1232456, value = 0x2d}, name_type = 0x12de08, creation_time = -1208143224, time_rec = 1313159642,
    cred_usage = 86400}}
(gdb)


mech_type:
==========
(gdb) p mech_type
$23 = (gss_OID) 0x120424
(gdb) p (gss_OID) *0x120424
$24 = (struct gss_OID_desc_struct *) 0x9
(gdb)
Comment 7 Christian Cier 2011-08-16 08:50:38 UTC 
Just a small additional information:
I have tested the same configuration of Kerberos and NFS4 on SL6.0 (latest updates installed) without any problems. The problem seems to have been introduced in 6.1.
Comment 8 Steve Dickson 2011-08-16 18:29:16 UTC 
I'm having a difficult time trying to reproduce this problem,
so for the people that can reproduce this problem could you
please try the nfs-utils in:  
     http://people.redhat.com/steved/.tmp/bz722616/

to see if the problem is fixed... tia...
Comment 9 Christian Cier 2011-08-17 11:08:11 UTC 
I have tested nfs-utils-1.2.3-8.el6.i686.rpm and can report that it is working now on two different machines which were affected by this problem.

In my case NFSv4 shares are now successfully mounted when using Kerberos. 

Only i686 was tested.
Comment 10 Steve Dickson 2011-08-17 12:55:09 UTC 
(In reply to comment #9)
> I have tested nfs-utils-1.2.3-8.el6.i686.rpm and can report that it is working
> now on two different machines which were affected by this problem.
> 
> In my case NFSv4 shares are now successfully mounted when using Kerberos. 
> 
> Only i686 was tested.

Thank you for your time!

I'm thinking bug #720479 was the cause of this problem too... 
So I'm going to close this bug as a duplicate of bug #720479

*** This bug has been marked as a duplicate of bug 720479 ***
Note You need to log in before you can comment on or make changes to this bug.