SPNEGO crash on mechanism failure

Bug #1648901 reported by dwmw2
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Eric Desrochers

Bug Description

== SRU JUSTIFICATION ==

[Impact]

* Chrome (and other things) crash (segfault) when Kerberos fails to authenticate.

Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdd687700 (LWP 14851)]
spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
2315 ../../../../src/lib/gssapi/spnego/spnego_mech.c: No such file or directory.
(gdb) bt
#0 spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
#1 0x00007fffef72be54 in gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=<optimized out>, src_name=0x7fffdd685788,
    targ_name=0x7fffdd685750, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685780, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730,
    opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/mechglue/g_inq_context.c:114

* context_handle=0x0, segfault occurs trying to dereference a null pointer.

[Test Case]

 * Reproducer

See dwmw2's (reporter of the bug) comment #3 :
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/comments/3

[Regression Potential]

 * none expected Y and Z release already has the krb5 upstream patch.
 * Debian has the patch as well.
 * A test package has been tested by more than 1 user with success (can't reproduce the crash) anymore)

[Other Info]

 * Upstream fix :
https://github.com/krb5/krb5/commit/3beb564cea3d219efcf71682b6576cad548c2d23

* Pull Request :
https://github.com/krb5/krb5/pull/385

* Chrome Bug :
https://bugs.chromium.org/p/chromium/issues/detail?id=554905

* A test pkg including the upstream commit has been proven to fix the crash. See: https://bugs.launchpad.net/ubuntu/xenial/+source/krb5/+bug/1648901/comments/9

==

[Original Description]

Chrome (and other things) crash when Kerberos fails to authenticate:
https://bugs.chromium.org/p/chromium/issues/detail?id=554905

This was fixed in MIT krb5 in January:
https://github.com/krb5/krb5/pull/385

Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdd687700 (LWP 14851)]
spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
2315 ../../../../src/lib/gssapi/spnego/spnego_mech.c: No such file or directory.
(gdb) bt
#0 spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
#1 0x00007fffef72be54 in gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=<optimized out>, src_name=0x7fffdd685788,
    targ_name=0x7fffdd685750, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685780, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730,
    opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/mechglue/g_inq_context.c:114

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Eric Desrochers (slashd)
Changed in krb5 (Ubuntu):
importance: Undecided → Low
assignee: nobody → Eric Desrochers (slashd)
status: Confirmed → In Progress
Revision history for this message
Eric Desrochers (slashd) wrote :

Hi andrew, dwmw2 et al,

If I build a test package on Monday, will you be amenable to install/test it and then provide feedbacks before I start the SRU ?

Addtionnaly, can you provide the detailed steps on how to reproduce the problem ?

Revision history for this message
dwmw2 (dwmw2) wrote :

Sure, I can attempt to test. It needs Kerberos to fail, while another mechanism is possible. So fix up the packaging errors noted in bug 1648898 so that GSS-NTLMSSP is actually registered properly, then just

KRB5CCNAME=/dev/null google-chrome $SOME_URL_WHICH_USES_NEGOTIATE_AUTH

Revision history for this message
Eric Desrochers (slashd) wrote :

Dwmw2,

On which ubuntu release are you experiencing the situation ?

Revision history for this message
dwmw2 (dwmw2) wrote :

On 16.04. Apologies, I looked but couldn't see where Launchpad expects me to enter that information.

Revision history for this message
Eric Desrochers (slashd) wrote :

Ok tks that all I need for now. Will provide a test pkg on Monday for Xenial.

Revision history for this message
Eric Desrochers (slashd) wrote :

I reviewed the src code of X/Y/Z and only X is affected.

Y/Z already have the patch.

Eric

Revision history for this message
Eric Desrochers (slashd) wrote :

dwmw2,

Can you please give a try at this test package ?

--
$ sudo add-apt-repository ppa:slashd/fix1648901
$ sudo apt-get update

Install the necessary krb5 packages and then test your reproducer.
--

Eric

Eric Desrochers (slashd)
description: updated
Changed in krb5 (Ubuntu):
importance: Low → Medium
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
Changed in krb5 (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Eric Desrochers (slashd)
Changed in krb5 (Ubuntu):
status: In Progress → Fix Released
Changed in krb5 (Ubuntu Xenial):
status: New → Confirmed
status: Confirmed → In Progress
Eric Desrochers (slashd)
description: updated
Revision history for this message
dwmw2 (dwmw2) wrote :

Yes, that fixes the crash. Thanks.

Revision history for this message
Eric Desrochers (slashd) wrote :

Great will then start the sru on monday.

Thanks for the quick feedback.

Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
Changed in krb5 (Ubuntu):
assignee: Eric Desrochers (slashd) → nobody
Eric Desrochers (slashd)
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

DEBDIFF for Xenial [1.13.2+dfsg-5ubuntu2]

tags: added: sts sts-sponsor sts-sru
Revision history for this message
Eric Desrochers (slashd) wrote :
Eric Desrochers (slashd)
tags: removed: sts-sponsor
Eric Desrochers (slashd)
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

As per a irc conversation with the SRU team (apw),

The existing krb5 (1.13.2+dfsg-5ubuntu1) has a regressing ADT test so it stuck in -proposed.
Thus, preventing krb5 (1.13.2+dfsg-5ubuntu2) to land in -proposed.

SRU team are looking at this as we speak.

- Eric

Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello dwmw2, or anyone else affected,

Accepted krb5 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.13.2+dfsg-5ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in krb5 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Eric Desrochers (slashd) wrote :

@dwmw2,
@Andrew Jorgensen,
or anyone else affected by this bug.

As you may have notice, there is currently a call for testing a proposed version of the source package "krb5".

This is the last step before the package make its way into xenial-updates (final destination)

Could you please try the package and provide feedbacks so I can complete the SRU ?

- Eric

Revision history for this message
Andrew Jorgensen (ajorgens) wrote :

Tested w/ libkrb5-3=1.13.2+dfsg-5ubuntu2 from xenial-proposed. It was tricky to prepare an environment I could safely test in, but I verified that chrome crashed with previous version, but does not crash after update to the proposed version.

Revision history for this message
Eric Desrochers (slashd) wrote :

Great thanks Andrew !

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.13.2+dfsg-5ubuntu2

---------------
krb5 (1.13.2+dfsg-5ubuntu2) xenial; urgency=medium

  * Fix segfault in context_handle (LP: #1648901).
    - d/p/check_internal_context_on_init_context_errors.patch:
    Cherry picked patch from upstream VCS.

 -- Eric Desrochers <email address hidden> Mon, 16 Jan 2017 15:06:57 +0100

Changed in krb5 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Eric Desrochers (slashd)
tags: removed: sts-sru
tags: added: sts-sru
Louis Bouchard (louis)
tags: added: sts-sru-done
removed: sts-sru
Revision history for this message
Martin Pohlack (mp26+launch) wrote :

This is also an issue on trusty.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@mp26+launch, can you easily reproduce this on trusty? Or did you just check the code?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.