Fedora Account System
Red Hat Associate
Red Hat Customer
When authenticating with a YubiKey, the SSSD PAM responder crashes inside sss_certmap_match_cert because the sss_certmap_ctx pointer passed to it has already been freed and reused for string data from the p11_child response. The pointer value 0x6e65687475412056 decodes to ASCII "V Auth en" which is part from the certificate label "X.509 Certificate for PIV Authentication" returned by p11_child. This confirms that the freed sss_certmap_ctx memory was reused during response parsing. Root cause: sss_certmap_ctx is owned by the PAM request state. If the request is cancelled or completes while the asynchronous p11_child process is still running, the request state (and the context) is freed. When the child eventually returns and p11_child_done / parse_p11_child_response run, they call sss_certmap_match_cert with a dangling pointer. The certificate data (token name, label, or certificate contents) then occupies the freed memory. Impact: Denial of service: The PAM responder crashes, breaking authentication in some cases. Potential privilege escalation: Because an attacker controls the smartcard/YubiKey contents, they can influence the data that replaces the freed sss_certmap_ctx structure, turning this into a controlled use-after-free in a privileged, long-running process (although this looks hard to exploit).