Segfaults in MIT libkrb5
Ken Raeburn
raeburn at MIT.EDU
Thu Dec 14 17:36:40 EST 2006
On Dec 14, 2006, at 14:25, Fredrik Tolf wrote:
> Hi list!
>
> I'm experiencing weird segfaults in a program I've written. While I
> cannot exactly prove that it isn't my own fault and I'm not just
> doing a
> great fandango all over libkrb5's core, they all occur in the Kerberos
> library, in incidents seemingly related to the error tables. The usual
> backtrace looks like this:
>
> #0 0xb7d52a43 in error_message (code=-1429577725) at
> error_message.c:58
> #1 0xb7f0e598 in krb5int_locate_server () from /usr/lib/libkrb5.so.3
> #2 0xb7f0e843 in krb5_locate_kdc () from /usr/lib/libkrb5.so.3
> #3 0xb7f1072f in krb5_sendto_kdc () from /usr/lib/libkrb5.so.3
> #4 0xb7eff3e0 in krb5_send_tgs () from /usr/lib/libkrb5.so.3
> #5 0xb7ef0b6d in krb5_get_cred_via_tkt () from /usr/lib/libkrb5.so.3
> #6 0xb7eeff0e in krb5_fwd_tgt_creds () from /usr/lib/libkrb5.so.3
> #7 0xb7ef183d in krb5_get_credentials_renew ()
> from /usr/lib/libkrb5.so.3
> #8 0x08061df1 in renewcreds (cancelled=0, data=0x835bd18) at
> auth-krb5.c:228
> #9 0x0804c9a0 in main (argc=1, argv=0xbfac4104) at main.c:550
The error code -1429577725 is PROF_NO_RELATION; in
krb5int_locate_server this just means it couldn't find something
(probably realms -> $realmname -> kdc) in the config file. That's
okay. But crashing while trying to look it up probably means a
corrupted error table list.
This may mean the com_err library you're using isn't thread-safe. If
the PAM library does dlopen and dlclose on loaded modules, there may
also be some kind of problem in that area. (For example, if dlopen
maps the library in a second time, and dlclose unmaps it without
running library finalization code -- we should be hooking into the
same kind of facility that runs C++ static object destructors -- then
the linked list of error table pointers could include a pointer to
the now-unmapped copy of the krb5 library. Or if the com_err code is
retaining that pointer when it should be removing it, that could
cause trouble.)
> Today, however, I got another segfault, but which also seems
> related to
> the error tables:
> #0 0xb7a2ff63 in krb_realmofhost () from /usr/lib/libkrb4.so.2
> #1 0xb7a2ffd0 in initialize_krb_error_table ()
> from /usr/lib/libkrb4.so.2
> #2 0xb7ba21c1 in _pam_krb5_init_ctx (ctx=0x8443e88, argc=2,
> argv=0x8422530) at init.c:80
> ...
But initialize_krb_error_table won't call krb_realmofhost, so clearly
this stack trace is misleading. (Perhaps there's a static function
located after initialize_krb_error_table in the shared library.)
>
> Could the fault somehow be related to the fact that this particular
> program both uses the Kerberos library directly (for Kerberized
> clients)
> and the pam_krb5 PAM module (which is line #2 in the second backtrace
> above), which is called from a userspace thread (using the ucontext
> calls)? Is there some other known problem? I also call the seemingly
> undocumented function krb5_get_credentials_renew, if that might
> matter.
>
> I'm using MIT Kerberos V 1.4.3 and a system-supplied com_err library,
> version 1.39. The system is Gentoo Linux.
I'm not familiar with that specific version of the com_err library.
It may not be thread-safe, or at least the interfaces we depend on
may not be.
Ken
More information about the Kerberos
mailing list