• crash in krb5kdc

    From Sushmita Bhattacharya@21:1/5 to All on Thu Apr 1 05:26:33 2021
    Hi,

    I am facing an issue with a Kerberos(krb5kdc) crash in process_tgs_req function, krb5 version 1.15.1. Backtrace below:-

    (gdb) bt
    #0 0x00007fec38d8d387 in raise () from /lib64/libc.so.6
    #1 0x00007fec38d8ea78 in abort () from /lib64/libc.so.6
    #2 0x00007fec38d861a6 in __assert_fail_base () from /lib64/libc.so.6
    #3 0x00007fec38d86252 in __assert_fail () from /lib64/libc.so.6
    #4 0x00007fec3046d353 in ldap_get_values_len () from
    /lib64/libldap_r-2.4.so.2
    #5 0x00007fec3201422e in ipadb_ldap_attr_to_int () from /usr/lib64/krb5/plugins/kdb/ipadb.so
    #6 0x00007fec320173cb in ipadb_parse_ldap_entry () from /usr/lib64/krb5/plugins/kdb/ipadb.so
    #7 0x00007fec3201832b in ipadb_get_principal () from /usr/lib64/krb5/plugins/kdb/ipadb.so
    #8 0x00007fec3a918bb7 in krb5_db_get_principal () from /lib64/libkdb5.so.8
    #9 0x000056443d95fff2 in kdc_get_server_key ()
    #10 0x000056443d9603ce in kdc_process_tgs_req ()
    #11 0x000056443d95ac97 in process_tgs_req ()
    #12 0x000056443d958df3 in dispatch ()
    #13 0x000056443d96c950 in process_tcp_connection_read ()
    #14 0x00007fec39127b48 in verto_fire () from /lib64/libverto.so.1
    #15 0x00007fec31242b13 in tevent_common_invoke_fd_handler () from /lib64/libtevent.so.0
    #16 0x00007fec31249087 in epoll_event_loop_once () from /lib64/libtevent.so.0 #17 0x00007fec31247057 in std_event_loop_once () from /lib64/libtevent.so.0
    #18 0x00007fec3124225d in _tevent_loop_once () from /lib64/libtevent.so.0
    #19 0x00007fec3912731f in verto_run () from /lib64/libverto.so.1
    #20 0x000056443d957af6 in main ()
    (gdb) q


    We observed this crash with kerberos version 1.15.1.

    The issue is that the ldap handle passed from function process_tgs_req , to function ipadb_parse_ldap_entry and eventually to openldap, is an invalid LDAP handle. Hence there is an assert failure in function ldap_get_values_len.


    (gdb) f 4
    #4 0x00007fec3046d353 in ldap_get_values_len (ld=ld@entry=0x56443f44b850, entry=entry@entry=0x56443f5c4fe0,
    target=target@entry=0x7fec3202192b "krbTicketFlags") at getvalues.c:98
    98 assert( LDAP_VALID( ld ) );
    (gdb) p ld->ldc->ldc_options.ldo_valid
    $1 = -17435
    (gdb) p/x ld->ldc->ldc_options.ldo_valid
    $2 = 0xbbe5
    (gdb) f 5
    #5 0x00007fec3201422e in ipadb_ldap_attr_to_int (lcontext=lcontext@entry=0x56443f44b850, le=le@entry=0x56443f5c4fe0,
    attrname=attrname@entry=0x7fec3202192b "krbTicketFlags", result=result@entry=0x7ffcdd2accc4) at ipa_kdb_common.c:383
    383 vals = ldap_get_values_len(lcontext, le, attrname);

    (gdb) f 7
    #7 0x00007fec3201832b in ipadb_get_principal (kcontext=0x56443f47b920, search_for=<optimized out>, flags=8192, entry=0x7ffcdd2acec8)
    at ipa_kdb_principals.c:1311
    1311 kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);
    (gdb)


    Any ideas on this issue ? Is there a specific fix available ? It looks like someone reported a similar crash here : https://pagure.io/freeipa/issue/5633, but there was no fix documented, and it got closed as there was insufficient info. Any help will be
    much appreciated.

    Thanks,
    Sushmita

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robbie Harwood@21:1/5 to Sushmita Bhattacharya on Fri Apr 2 11:41:15 2021
    To: kerberos@mit.edu (kerberos@mit.edu)

    Sushmita Bhattacharya <sushmita.bhattacharya@oracle.com> writes:

    Any ideas on this issue ? Is there a specific fix available ? It looks
    like someone reported a similar crash here : https://pagure.io/freeipa/issue/5633, but there was no fix documented,
    and it got closed as there was insufficient info. Any help will be
    much appreciated.

    Hi Sushmita, this is an ipa-kdb problem and so you might have more luck
    on the ipa lists. However, my understanding is that it has to do with
    IPA disconnecting from 389ds - libldap basically does `assert(connection
    != NULL;` and that's the crash. Some attempts to fix it have been made
    (like [1]); whether they're complete hasn't been determined yet.

    Thanks,
    --Robbie

    1: https://pagure.io/freeipa/c/95822c7953ea9f64976908bfd901450bf283c74e

    -----BEGIN PGP SIGNATURE-----

    iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmBnOxwUHHJoYXJ3b29k QHJlZGhhdC5jb20ACgkQJTL5F2qVpEIkEA/9HODlq9uSC+6bj3AqAB8DQFRvRukz 2p5YAYrnIOnAdz8lSu9bODWfRcVoQrqd3LVaHgS524MPKDq5c508kyLR32Eo6jiR aFVOYgz6UHagam9mdC2ARROPrshrMUzqqteOxRH0IUMORVRfvarD6O65Fgc0uFWq P5X9jTrMZvVeNlGYOTx1WUOvOYt3QdxNMhmQydw/OZciprN7YxXk+1qawjBepd97 vFK2MLwwv7W5tAjALqjQqCkIfYjKdWEbokl7Za8JCfN8Dvc2BNiuJ7kx4hxCMcPc o4F7qnBUFiv+P5S5RGqsKhxdQEc+0dmH3s6r6CpsMC16JMkNno4mkBP4okJ8uTZa h23ssRuDP2IT++cafL6zhdAb8AkSWceU8iUMKbR4wT9mn6/wukI77tWCfFYJZbsq BSUi59xAfCcGjYmxsflCvDm+7CfkF2dyKH8vHwEBAc1516sY17Yc61PWAtcYqgAU MKOmYS2nFVrvh5YT/ioDW1EsmoLd7XzerRklFEAvrfamHKpcbBtT8cXjjew/usfC reVqXx8/2wNdesCETRy/K/+AZ9LsMb9IONfNesajXEMxLYppgLBvSPeLM6yjNKto eEOv5f34KNZrmthNO9L8xsZuRsQxIp0gZ2xfuix2wRo3JRdh8OHrEVCArVR+qPxZ ZJffC3ucHm09pRs=
    =/obt
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)