[krbdev.mit.edu #9103] segfault trying to free a garbage pointer

Ilya Gladyshev via RT rt-comment at kerborg-prod-app-1.mit.edu
Sat Sep 2 20:36:28 EDT 2023 

Sat Sep 02 20:36:27 2023: Request 9103 was acted upon.
 Transaction: Ticket created by ilya.v.gladyshev at gmail.com
       Queue: krb5
     Subject: segfault trying to free a garbage pointer
       Owner: Nobody
  Requestors: ilya.v.gladyshev at gmail.com
      Status: new
 Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9103 >


Hi, 
I have recently encountered a segfault while using psql (PostgreSQL client, version 13) on macos. psql uses krb5-1.21.2 internally and as I started exploring the problem I obtained the following callstack that led to a segfault:
0 libkrb5.3.3.dylib	0x10471ec18 krb5_free_principal + 20
1 libkrb5.3.3.dylib	0x104701ad0 krb5_cccol_have_content + 188
2 libgssapi_krb5.2.2.dylib	0x104531894 acquire_cred_context + 1664
3 libgssapi_krb5.2.2.dylib	0x10453119c acquire_cred_from + 688
4 libgssapi_krb5.2.2.dylib	0x104523180 gss_add_cred_from + 624

So it seems to me that the problem is in krb5 library. I looked at the source code and the problem seems obvious to me, but I might be missing something here. I have attached a patch to fix it, and here’s my understanding of what’s going on there: inside the krb5_cccol_have_content the princ variable may stay uninitialized even after a call to krb5_cc_get_principal, so krb5_free_principal will try to free a garbage pointer or it might try to do a double free if princ was assigned and freed on a previous loop iteration. Setting princ to NULL at the beginning of each loop seems enough to me, because krb5_free_principal has checks for NULL.

Regards,
Ilya

P.S. you might want to update the url to access the repository on the website https://kerberos.org/dist/testing.html#git as github no longer supports git:// protocol links.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20230902/3ae2ab10/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-clear-principal-on-each-loop.patch
Type: application/octet-stream
Size: 787 bytes
Desc: not available
URL: <http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20230902/3ae2ab10/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20230902/3ae2ab10/attachment-0001.htm>

More information about the krb5-bugs mailing list