SPNEGO crash on mechanism failure

Bug #1648901 reported by dwmw2 on 2016-12-09
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Medium
Unassigned
Xenial
Medium
Eric Desrochers

Bug Description

== SRU JUSTIFICATION ==

[Impact]

* Chrome (and other things) crash (segfault) when Kerberos fails to authenticate.

Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdd687700 (LWP 14851)]
spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
2315 ../../../../src/lib/gssapi/spnego/spnego_mech.c: No such file or directory.
(gdb) bt
#0 spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
#1 0x00007fffef72be54 in gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=<optimized out>, src_name=0x7fffdd685788,
    targ_name=0x7fffdd685750, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685780, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730,
    opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/mechglue/g_inq_context.c:114

* context_handle=0x0, segfault occurs trying to dereference a null pointer.

[Test Case]

 * Reproducer

See dwmw2's (reporter of the bug) comment #3 :
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/comments/3

[Regression Potential]

 * none expected Y and Z release already has the krb5 upstream patch.
 * Debian has the patch as well.
 * A test package has been tested by more than 1 user with success (can't reproduce the crash) anymore)

[Other Info]

 * Upstream fix :
https://github.com/krb5/krb5/commit/3beb564cea3d219efcf71682b6576cad548c2d23

* Pull Request :
https://github.com/krb5/krb5/pull/385

* Chrome Bug :
https://bugs.chromium.org/p/chromium/issues/detail?id=554905

* A test pkg including the upstream commit has been proven to fix the crash. See: https://bugs.launchpad.net/ubuntu/xenial/+source/krb5/+bug/1648901/comments/9

==

[Original Description]

Chrome (and other things) crash when Kerberos fails to authenticate:
https://bugs.chromium.org/p/chromium/issues/detail?id=554905

This was fixed in MIT krb5 in January:
https://github.com/krb5/krb5/pull/385

Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdd687700 (LWP 14851)]
spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
2315 ../../../../src/lib/gssapi/spnego/spnego_mech.c: No such file or directory.
(gdb) bt
#0 spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668,
    lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c)
    at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315
#1 0x00007fffef72be54 in gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=<optimized out>, src_name=0x7fffdd685788,
    targ_name=0x7fffdd685750, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685780, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730,
    opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/mechglue/g_inq_context.c:114

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Eric Desrochers (slashd) on 2016-12-16
Changed in krb5 (Ubuntu):
importance: Undecided → Low
assignee: nobody → Eric Desrochers (slashd)
status: Confirmed → In Progress
Eric Desrochers (slashd) wrote :

Hi andrew, dwmw2 et al,

If I build a test package on Monday, will you be amenable to install/test it and then provide feedbacks before I start the SRU ?

Addtionnaly, can you provide the detailed steps on how to reproduce the problem ?

dwmw2 (dwmw2) wrote :

Sure, I can attempt to test. It needs Kerberos to fail, while another mechanism is possible. So fix up the packaging errors noted in bug 1648898 so that GSS-NTLMSSP is actually registered properly, then just

KRB5CCNAME=/dev/null google-chrome $SOME_URL_WHICH_USES_NEGOTIATE_AUTH

Eric Desrochers (slashd) wrote :

Dwmw2,

On which ubuntu release are you experiencing the situation ?

dwmw2 (dwmw2) wrote :

On 16.04. Apologies, I looked but couldn't see where Launchpad expects me to enter that information.

Eric Desrochers (slashd) wrote :

Ok tks that all I need for now. Will provide a test pkg on Monday for Xenial.

Eric Desrochers (slashd) wrote :

I reviewed the src code of X/Y/Z and only X is affected.

Y/Z already have the patch.

Eric

Eric Desrochers (slashd) wrote :

dwmw2,

Can you please give a try at this test package ?

--
$ sudo add-apt-repository ppa:slashd/fix1648901
$ sudo apt-get update

Install the necessary krb5 packages and then test your reproducer.
--

Eric

Eric Desrochers (slashd) on 2016-12-17
description: updated
Changed in krb5 (Ubuntu):
importance: Low → Medium
Eric Desrochers (slashd) on 2016-12-17
description: updated
Eric Desrochers (slashd) on 2016-12-17
description: updated
Eric Desrochers (slashd) on 2016-12-17
Changed in krb5 (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Eric Desrochers (slashd)
Changed in krb5 (Ubuntu):
status: In Progress → Fix Released
Changed in krb5 (Ubuntu Xenial):
status: New → Confirmed
status: Confirmed → In Progress
Eric Desrochers (slashd) on 2016-12-17
description: updated
dwmw2 (dwmw2) wrote :

Yes, that fixes the crash. Thanks.

Eric Desrochers (slashd) wrote :

Great will then start the sru on monday.

Thanks for the quick feedback.

Eric Desrochers (slashd) on 2016-12-17
description: updated
Eric Desrochers (slashd) on 2016-12-18
Changed in krb5 (Ubuntu):
assignee: Eric Desrochers (slashd) → nobody
Eric Desrochers (slashd) on 2016-12-19
description: updated
Eric Desrochers (slashd) wrote :

DEBDIFF for Xenial [1.13.2+dfsg-5ubuntu2]

tags: added: sts sts-sponsor sts-sru
Eric Desrochers (slashd) wrote :
Eric Desrochers (slashd) on 2017-01-16
tags: removed: sts-sponsor
Eric Desrochers (slashd) on 2017-01-23
description: updated
Eric Desrochers (slashd) wrote :

As per a irc conversation with the SRU team (apw),

The existing krb5 (1.13.2+dfsg-5ubuntu1) has a regressing ADT test so it stuck in -proposed.
Thus, preventing krb5 (1.13.2+dfsg-5ubuntu2) to land in -proposed.

SRU team are looking at this as we speak.

- Eric

Hello dwmw2, or anyone else affected,

Accepted krb5 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.13.2+dfsg-5ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in krb5 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Eric Desrochers (slashd) wrote :

@dwmw2,
@Andrew Jorgensen,
or anyone else affected by this bug.

As you may have notice, there is currently a call for testing a proposed version of the source package "krb5".

This is the last step before the package make its way into xenial-updates (final destination)

Could you please try the package and provide feedbacks so I can complete the SRU ?

- Eric

Andrew Jorgensen (ajorgens) wrote :

Tested w/ libkrb5-3=1.13.2+dfsg-5ubuntu2 from xenial-proposed. It was tricky to prepare an environment I could safely test in, but I verified that chrome crashed with previous version, but does not crash after update to the proposed version.

Eric Desrochers (slashd) wrote :

Great thanks Andrew !

tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.13.2+dfsg-5ubuntu2

---------------
krb5 (1.13.2+dfsg-5ubuntu2) xenial; urgency=medium

  * Fix segfault in context_handle (LP: #1648901).
    - d/p/check_internal_context_on_init_context_errors.patch:
    Cherry picked patch from upstream VCS.

 -- Eric Desrochers <email address hidden> Mon, 16 Jan 2017 15:06:57 +0100

Changed in krb5 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Eric Desrochers (slashd) on 2017-02-02
tags: removed: sts-sru
tags: added: sts-sru
Louis Bouchard (louis) on 2017-03-22
tags: added: sts-sru-done
removed: sts-sru
Martin Pohlack (mp26+launch) wrote :

This is also an issue on trusty.

Andreas Hasenack (ahasenack) wrote :

@mp26+launch, can you easily reproduce this on trusty? Or did you just check the code?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers