Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)

To: "Livingston\, John A" <john.a.livingston@boeing.com>
Cc: "512410\@bugs.debian.org" <512410@bugs.debian.org>, "Robertson\, Matthew L" <Matthew.L.Robertson@boeing.com>, hartmans@debian.org
Subject: Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
From: Russ Allbery <rra@debian.org>
Date: Wed, 06 Jun 2012 14:40:30 -0700
Message-id: <8762b4ruep.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 512410@bugs.debian.org
In-reply-to: <B92494FB-5CF5-4220-9063-DEC1AF1156B7@boeing.com> (John A. Livingston's message of "Wed, 6 Jun 2012 16:28:27 -0500")
References: <20120604215444.28606.41987.reportbug@khorium.exmeritus.com> <871uluybhr.fsf@windlord.stanford.edu> <44A1F1CF-AA98-40C6-8264-2658B5F4537C@boeing.com> <87ehpstear.fsf@windlord.stanford.edu> <6A1F4476-0A87-41EF-888D-4FA4BA43AE54@boeing.com> <87mx4grwbt.fsf@windlord.stanford.edu> <B92494FB-5CF5-4220-9063-DEC1AF1156B7@boeing.com>

"Livingston, John A" <john.a.livingston@boeing.com> writes:
> On Jun 6, 2012, at 4:59 PM, Russ Allbery wrote:

>> Can you try running sshd -d under valgrind and see if it can spot where
>> the memory corruption is happening?

> Below are two valgrind runs (without and with -v, depending on how much
> address spam you'd like to read) with password auth being attempted. In
> general kfree.c around line 400 seems fraught with danger.

Aha!  Do you have the keytab PAM option set either in the PAM
configuration or in krb5.conf?

MIT Kerberos appears to have a bug where krb5_verify_init_creds
unconditionally frees the server krb5_principal argument even if it was
passed in by the caller, resulting in a double-free in the pam-krb5 module
when the keytab option is set.

This bug appears to have been introduced in commit
caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 which was applied as a patch in
the krb5 package in Debian even though that change wasn't in 1.10.1.  It
looks like that bug isn't in any released version of Kerberos, but the
Debian package will need a new release to fix it.  I'll copy Sam so that
he's aware and also file an upstream bug.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: "Livingston, John A" <john.a.livingston@boeing.com>

References:
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: John Livingston <John.A.Livingston@boeing.com>
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: Russ Allbery <rra@debian.org>
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: "Livingston, John A" <john.a.livingston@boeing.com>
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: Russ Allbery <rra@debian.org>
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: "Livingston, John A" <john.a.livingston@boeing.com>
- Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
Next by Date: Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
Previous by thread: Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
Next by thread: Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
Index(es):
- Date
- Thread