734098 – mod_auth_kerb threading problems

Bug 734098 - mod_auth_kerb threading problems

Summary: mod_auth_kerb threading problems

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	mod_auth_kerb
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Joe Orton
QA Contact:	Zbysek MRAZ
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	783228
TreeView+	depends on / blocked

Reported:	2011-08-29 13:06 UTC by Tomas Herfert
Modified:	2013-07-03 13:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The mod_auth_kerb module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and thread crashes no longer occur under these circumstances.
Clone Of:
Clones:	1298123 1332249 (view as bug list)
Environment:
Last Closed:	2013-01-08 07:32:11 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
error_log.gz (286.77 KB, application/x-sdlc) 2011-08-29 13:06 UTC, Tomas Herfert	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0078	0	normal	SHIPPED_LIVE	mod_auth_kerb bug fix and enhancement update	2013-01-07 15:27:03 UTC

Description Tomas Herfert 2011-08-29 13:06:15 UTC

Created attachment 520390 [details]
error_log.gz

Description of problem:
mod_auth_kerb doesn't work properly with worker MPM.

There are the following errors in the log (please find whole error_log attached):

[Mon Aug 29 08:23:55 2011] [notice] child pid 12884 exit signal Bus error (7)
[Mon Aug 29 08:23:57 2011] [notice] child pid 12938 exit signal Segmentation fault (11)
[Mon Aug 29 08:24:02 2011] [notice] child pid 12968 exit signal Segmentation fault (11)
[Mon Aug 29 08:24:03 2011] [notice] child pid 12970 exit signal Segmentation fault (11)
*** glibc detected *** /usr/sbin/httpd.worker: double free or corruption (fasttop): 0x00002aaabc000fe0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2af75241c45f]
/lib64/libc.so.6(cfree+0x4b)[0x2af75241c8bb]
/usr/lib64/libkrb5.so.3[0x2af75378a9e8]
/etc/httpd/modules/mod_auth_kerb.so[0x2af75ab5520e]
/usr/sbin/httpd.worker(ap_run_check_user_id+0x72)[0x2af7504a3652]
/usr/sbin/httpd.worker(ap_process_request_internal+0x237)[0x2af7504a4857]
/usr/sbin/httpd.worker(ap_process_request+0x198)[0x2af7504b6058]
/usr/sbin/httpd.worker[0x2af7504b32a0]
/usr/sbin/httpd.worker(ap_run_process_connection+0x72)[0x2af7504af632]
/usr/sbin/httpd.worker[0x2af7504baaf7]
/lib64/libpthread.so.0[0x2af751f9073d]
/lib64/libc.so.6(clone+0x6d)[0x2af75247e4bd]
======= Memory map: ========


Version-Release number of selected component (if applicable):
mod_auth_kerb-5.1-3.el5
httpd-2.2.3-53.el5


How reproducible:
MPM worker, mod_auth_kerb authentication with "KrbMethodK5Passwd on". 

ab -n 1000 -c 100 -A username:password http://hostname/

Actual results:
Lot of "Failed requests" in the ab's output. Server error_log is full of errors.

If user try to open real page (with images, styles etc.) in browser, it looks broken - lot of images are missing etc.

Expected results:
No failed requests. No errors in the error_log.

Additional info:
It seems to be fixed in upstream since Oct 2 2008:
http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?r1=1.141&r2=1.142

Comment 1 Vojtech Juranek 2011-09-23 19:40:06 UTC

Hi, any progress with this issue? It's a blocker for us.
Thanks
Vojtech

Comment 7 Miroslav Svoboda 2012-01-23 15:39:05 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The mod_auth_kerb module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and thread crashes no longer occur under these circumstances.

Comment 12 errata-xmlrpc 2013-01-08 07:32:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0078.html

Note You need to log in before you can comment on or make changes to this bug.