"krb5-auth-dialog --auto" segfaults on startup

Bug #1700468 reported by Daniel Richard G. on 2017-06-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5-auth-dialog (Ubuntu)
Undecided
Unassigned

Bug Description

This concerns krb5-auth-dialog 3.12.0-2 in Ubuntu Xenial.

When the program is invoked with the --auto option, it briefly maps the systray icon, and then segfaults.

Here is a GDB session running on a debug build of the original package source:

$ gdb --args /tmp/krb5-auth-dialog-3.12.0/debian/krb5-auth-dialog/usr/bin/krb5-auth-dialog --auto
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /tmp/krb5-auth-dialog-3.12.0/debian/krb5-auth-dialog/usr/bin/krb5-auth-dialog...done.
(gdb) r
Starting program: /tmp/krb5-auth-dialog-3.12.0/debian/krb5-auth-dialog/usr/bin/krb5-auth-dialog --auto
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe9bf6700 (LWP 28626)]
[New Thread 0x7fffe93f5700 (LWP 28627)]
[New Thread 0x7fffe3fff700 (LWP 28630)]
[New Thread 0x7fffe37fe700 (LWP 28631)]

Thread 1 "krb5-auth-dialo" received signal SIGSEGV, Segmentation fault.
0x00007ffff7928b8f in krb5_cc_resolve (context=0x9f58a0, name=0x96f600 "am",
    id=0x7fffffffda60) at cache.c:270
270 cache.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7928b8f in krb5_cc_resolve (context=0x9f58a0,
    name=0x96f600 "am", id=0x7fffffffda60) at cache.c:270
#1 0x00000000004095b2 in ka_get_tgt_from_ccache (context=0x9f58a0,
    creds=0x7fffffffdb60)
    at /tmp/krb5-auth-dialog-3.12.0/./src/ka-kerberos.c:886
#2 0x0000000000407d4b in credentials_expiring_real (applet=0x6be190)
    at /tmp/krb5-auth-dialog-3.12.0/./src/ka-kerberos.c:216
#3 0x0000000000408895 in credentials_expiring (data=0x6be190)
    at /tmp/krb5-auth-dialog-3.12.0/./src/ka-kerberos.c:520
#4 0x00000000004088e4 in credentials_expiring_once (data=0x6be190)
    at /tmp/krb5-auth-dialog-3.12.0/./src/ka-kerberos.c:536
#5 0x00007ffff604e04a in g_main_context_dispatch ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6 0x00007ffff604e3f0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ffff604e49c in g_main_context_iteration ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 0x00007ffff6615e30 in g_application_run ()
   from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x000000000040c4b9 in main (argc=2, argv=0x7fffffffdee8)
    at /tmp/krb5-auth-dialog-3.12.0/./src/ka-applet.c:1235
(gdb) p context
$1 = (krb5_context) 0x9f58a0
(gdb) p *context
$2 = {etypes = 0x80101026c, etypes_des = 0x35000002b8,
  as_etypes = 0x500730106, tgs_etypes = 0x33312e313a,
  permitted_enctypes = 0x700750105, default_realms = 0x7328610500670108,
  max_skew = 10611, kdc_timeout = 17187406087, host_timeout = 825110842,
  max_retries = 7536896, kdc_sec_offset = 23, kdc_usec_offset = 778531439,
  cf = 0x522e69707374612e, et_list = 0x79727473696765,
  warn_dest = 0x2400730102, debug_dest = 0x793131612e67726f,
  cc_ops = 0x442e69707374612e, num_cc_ops = 1667855973,
  http_proxy = 0x6f72746e6f43746e <error: Cannot access memory at address 0x6f72746e6f43746e>,
  time_fmt = 0x72656c6c <error: Cannot access memory at address 0x72656c6c>,
  log_utc = 7536899,
  default_keytab = 0x6369766544746547 <error: Cannot access memory at address 0x6369766544746547>,
  default_keytab_modify = 0x694c746e65764565 <error: Cannot access memory at address 0x694c746e65764565>, use_admin_kdc = 1852142707,
  extra_addresses = 0x1000100, scan_interfaces = 1, srv_lookup = 1,
  srv_try_txt = 0, fcache_vno = 0, num_kt_types = 6, kt_types = 0x96ff70,
  date_fmt = 0x7ffff796b758 "%Y-%m-%d", error_string = 0x0, error_code = 0,
  ignore_addresses = 0x0, default_cc_name = 0x96f600 "am",
  default_cc_name_env = 0x0, default_cc_name_set = 0, mutex = 0x9f4720,
  large_msg_size = 1400, max_msg_size = 1024000, tgs_negative_timeout = 0,
  flags = 39, send_to_kdc = 0x0, hx509ctx = 0x0, num_kdc_requests = 0,
  name_canon_rules = 0x0}

As you can see, the Kerberos context object appears not to have been properly initialized.

Revision history for this message
Guido Günther (agx) wrote :

But it seems ka_krb5_context_init got called (you can check kcontext_valid == TRUE) so in this case it got corrupted. Any chance you can check 3.20?

Revision history for this message
Daniel Richard G. (skunk) wrote :

I'm afraid I see the same failure mode with 3.20. The GDB session is
below.

(You're not able to reproduce this? This is a system with all the
Kerberos infrastructure, but a local-only user---no KRB* envvars set)

$ gdb --args /tmp/krb5-auth-dialog-3.20.0/_build/src/krb5-auth-dialog --auto
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /tmp/krb5-auth-dialog-3.20.0/_build/src/krb5-auth-dialog...done.
(gdb) r
Starting program: /tmp/krb5-auth-dialog-3.20.0/_build/src/krb5-auth-dialog --auto
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe9bf6700 (LWP 5105)]
[New Thread 0x7fffe93f5700 (LWP 5106)]
[New Thread 0x7fffe895a700 (LWP 5107)]
[New Thread 0x7fffdbdb9700 (LWP 5108)]

Thread 1 "krb5-auth-dialo" received signal SIGSEGV, Segmentation fault.
0x00007ffff7928b8f in krb5_cc_resolve (context=0x99df40,
    name=0x95a130 "Broadway", id=0x7fffffffda90) at cache.c:270
270 cache.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7928b8f in krb5_cc_resolve (context=0x99df40,
    name=0x95a130 "Broadway", id=0x7fffffffda90) at cache.c:270
#1 0x0000000000409aae in ka_get_tgt_from_ccache (context=0x99df40,
    creds=0x7fffffffdb90) at ../../src/ka-kerberos.c:897
#2 0x000000000040804c in credentials_expiring_real (applet=0x6c7190)
    at ../../src/ka-kerberos.c:227
#3 0x0000000000408c2e in credentials_expiring (data=0x6c7190)
    at ../../src/ka-kerberos.c:531
#4 0x0000000000408cc7 in credentials_expiring_once (data=0x6c7190)
    at ../../src/ka-kerberos.c:547
#5 0x00007ffff604e04a in g_main_context_dispatch ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6 0x00007ffff604e3f0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ffff604e49c in g_main_context_iteration ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 0x00007ffff6615e30 in g_application_run ()
   from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#9 0x000000000040cd28 in main (argc=2, argv=0x7fffffffdf18)
    at ../../src/ka-applet.c:1252
(gdb) up
#1 0x0000000000409aae in ka_get_tgt_from_ccache (context=0x99df40,
    creds=0x7fffffffdb90) at ../../src/ka-kerberos.c:897
897 if (krb5_cc_default (context, &ccache))
(gdb) p kcontext_valid
$1 = 0
(gdb)

Revision history for this message
Guido Günther (agx) wrote :

I can't reproduce here neither when linked against MIT (as in Debian) nor against heimdal (as in Xenial). Can you do a

    G_MESSAGES_DEBUG=all ./src/krb5-auth-dialog -a

maybe this shows s.th. interesting before the crash.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Hunh. How odd... I can't imagine that there would be something particular to this system that is causing the crash. As you requested:

skunk@darkstar:/tmp/krb5-auth-dialog-3.20.0/_build/src$ G_MESSAGES_DEBUG=all ./krb5-auth-dialog -a
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: principal:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-userid:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-anchors:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pw-prompt-mins: 30
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-forwardable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-proxiable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-renewable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: conf-tickets: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: principal:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-userid:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-anchors:
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pw-prompt-mins: 30
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-forwardable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-proxiable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-renewable: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: conf-tickets: False
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_local_command_line: Parsing local command line
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_startup: Primary application
(krb5-auth-dialog:16500): Gtk-DEBUG: Connecting to session manager
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_nm_client_state_changed_cb: Network connected
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: monitor_ccache: Monitoring /tmp/krb5cc_1000
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_command_line: Evaluating command line
(krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: credentials_expiring: Checking expiry <1800s
Segmentation fault (core dumped)

Revision history for this message
Guido Günther (agx) wrote : Re: [Bug 1700468] Re: "krb5-auth-dialog --auto" segfaults on startup

On Tue, Jun 27, 2017 at 07:49:07PM -0000, Daniel Richard G. wrote:
> Hunh. How odd... I can't imagine that there would be something
> particular to this system that is causing the crash. As you requested:
>
> skunk@darkstar:/tmp/krb5-auth-dialog-3.20.0/_build/src$ G_MESSAGES_DEBUG=all ./krb5-auth-dialog -a
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: principal:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-userid:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-anchors:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pw-prompt-mins: 30
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-forwardable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-proxiable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-renewable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: conf-tickets: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: principal:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-userid:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pk-anchors:
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: pw-prompt-mins: 30
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-forwardable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-proxiable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: tgt-renewable: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_set_property: conf-tickets: False
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_local_command_line: Parsing local command line
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_startup: Primary application
> (krb5-auth-dialog:16500): Gtk-DEBUG: Connecting to session manager
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_nm_client_state_changed_cb: Network connected
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: monitor_ccache: Monitoring /tmp/krb5cc_1000
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: ka_applet_command_line: Evaluating command line
> (krb5-auth-dialog:16500): KrbAuthDialog-DEBUG: credentials_expiring: Checking expiry <1800s

That looks sane.

> Segmentation fault (core dumped)

That still doesn't. Does running under valgrind's memcheck yield
anything?

    valgrind /usr/bin/krb5-auth-dialog

It might make sense to either build with debugging symbpols or install
the distro's krb5-auth-dialog-dbsym package.
Cheers,
 -- Guido

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1700468
>
> Title:
> "krb5-auth-dialog --auto" segfaults on startup
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/krb5-auth-dialog/+bug/1700468/+subscriptions
>

Revision history for this message
Daniel Richard G. (skunk) wrote :

Attached is a Valgrind log file produced from a debug build of k-a-d version 3.20.0.

All the errors appear to be accesses within freed memory...

Revision history for this message
Guido Günther (agx) wrote :

Hi Daniel,
On Fri, Jun 30, 2017 at 04:39:15AM -0000, Daniel Richard G. wrote:
> Attached is a Valgrind log file produced from a debug build of k-a-d
> version 3.20.0.
>
> All the errors appear to be accesses within freed memory...

Yeah that look suspicious. Can you either post (or send via private
mail) the output of "klist -v"?

>
> ** Attachment added: "kad-valgrind-log.txt"
> https://bugs.launchpad.net/ubuntu/+source/krb5-auth-dialog/+bug/1700468/+attachment/4906188/+files/kad-valgrind-log.txt
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1700468
>
> Title:
> "krb5-auth-dialog --auto" segfaults on startup
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/krb5-auth-dialog/+bug/1700468/+subscriptions
>

Revision history for this message
Daniel Richard G. (skunk) wrote :

Hi Guido, I think you mean "klist -V" (uppercase) :-)

On the system in question, that returns

    $ klist -V
    Kerberos 5 version 1.13.2

Revision history for this message
Guido Günther (agx) wrote :

Hi Daniel,
On Wed, Jul 05, 2017 at 10:38:35PM -0000, Daniel Richard G. wrote:
> Hi Guido, I think you mean "klist -V" (uppercase) :-)
>
> On the system in question, that returns
>
> $ klist -V
> Kerberos 5 version 1.13.2

Thath's useful too but I meant "klist -v" to get your ticket details.

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1700468
>
> Title:
> "krb5-auth-dialog --auto" segfaults on startup
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/krb5-auth-dialog/+bug/1700468/+subscriptions
>

Revision history for this message
Daniel Richard G. (skunk) wrote :

Er...

    $ klist -v
    klist: invalid option -- 'v'
    Usage: klist [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
    [...]

Remember, the segfault occurs with a user that is local-only. Kerberos infrastructure is installed on the system, but the user has no Kerberos tickets, no Kerberos envvars set, no cache file, nothing at all.

    $ klist
    klist: Credentials cache file '/tmp/krb5cc_1000' not found

Revision history for this message
Guido Günther (agx) wrote :

On Thu, Jul 06, 2017 at 08:33:06PM -0000, Daniel Richard G. wrote:
> Er...
>
> $ klist -v
> klist: invalid option -- 'v'
> Usage: klist [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
> [...]
>
> Remember, the segfault occurs with a user that is local-only. Kerberos
> infrastructure is installed on the system, but the user has no Kerberos
> tickets, no Kerberos envvars set, no cache file, nothing at all.
>
> $ klist
> klist: Credentials cache file '/tmp/krb5cc_1000' not found

I can reproduce this now and this

    https://git.gnome.org/browse/krb5-auth-dialog/commit/?id=23ba826890d60c3c556a8d1a021e97b8d3fb416c

fixes it for me.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Confirmed that this fixes the segfault for me when applied to version 3.20.0. Thanks :)

(Figured this would be easy to reproduce...)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5-auth-dialog - 3.20.0-3

---------------
krb5-auth-dialog (3.20.0-3) unstable; urgency=medium

  * [5a7fe1c] Don't depend on unused libnm-glib-dev (Closes: #823568)
  * [1455a30] credentials_expiring_real: check if kcontext is valid
    (LP: #1700468)
  * [2593f51] Bump standards version to 4.0.0
  * [cc2b1c0] Bump standards version to 3.9.8
  * [083647b] Switch to debhelper 10
  * [f92d782] Use https vcs urls.

 -- Guido Günther <email address hidden> Fri, 07 Jul 2017 10:11:16 +0200

Changed in krb5-auth-dialog (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers