Segfaults in MIT libkrb5

Ken Raeburn raeburn at MIT.EDU
Thu Dec 14 17:36:40 EST 2006


On Dec 14, 2006, at 14:25, Fredrik Tolf wrote:

> Hi list!
>
> I'm experiencing weird segfaults in a program I've written. While I
> cannot exactly prove that it isn't my own fault and I'm not just  
> doing a
> great fandango all over libkrb5's core, they all occur in the Kerberos
> library, in incidents seemingly related to the error tables. The usual
> backtrace looks like this:
>
> #0  0xb7d52a43 in error_message (code=-1429577725) at  
> error_message.c:58
> #1  0xb7f0e598 in krb5int_locate_server () from /usr/lib/libkrb5.so.3
> #2  0xb7f0e843 in krb5_locate_kdc () from /usr/lib/libkrb5.so.3
> #3  0xb7f1072f in krb5_sendto_kdc () from /usr/lib/libkrb5.so.3
> #4  0xb7eff3e0 in krb5_send_tgs () from /usr/lib/libkrb5.so.3
> #5  0xb7ef0b6d in krb5_get_cred_via_tkt () from /usr/lib/libkrb5.so.3
> #6  0xb7eeff0e in krb5_fwd_tgt_creds () from /usr/lib/libkrb5.so.3
> #7  0xb7ef183d in krb5_get_credentials_renew ()
> from /usr/lib/libkrb5.so.3
> #8  0x08061df1 in renewcreds (cancelled=0, data=0x835bd18) at
> auth-krb5.c:228
> #9  0x0804c9a0 in main (argc=1, argv=0xbfac4104) at main.c:550

The error code -1429577725 is PROF_NO_RELATION; in  
krb5int_locate_server this just means it couldn't find something  
(probably realms -> $realmname -> kdc) in the config file.  That's  
okay.  But crashing while trying to look it up probably means a  
corrupted error table list.

This may mean the com_err library you're using isn't thread-safe.  If  
the PAM library does dlopen and dlclose on loaded modules, there may  
also be some kind of problem in that area.  (For example, if dlopen  
maps the library in a second time, and dlclose unmaps it without  
running library finalization code -- we should be hooking into the  
same kind of facility that runs C++ static object destructors -- then  
the linked list of error table pointers could include a pointer to  
the now-unmapped copy of the krb5 library.  Or if the com_err code is  
retaining that pointer when it should be removing it, that could  
cause trouble.)

> Today, however, I got another segfault, but which also seems  
> related to
> the error tables:
> #0  0xb7a2ff63 in krb_realmofhost () from /usr/lib/libkrb4.so.2
> #1  0xb7a2ffd0 in initialize_krb_error_table ()
> from /usr/lib/libkrb4.so.2
> #2  0xb7ba21c1 in _pam_krb5_init_ctx (ctx=0x8443e88, argc=2,
> argv=0x8422530) at init.c:80
> ...

But initialize_krb_error_table won't call krb_realmofhost, so clearly  
this stack trace is misleading.  (Perhaps there's a static function  
located after initialize_krb_error_table in the shared library.)

>
> Could the fault somehow be related to the fact that this particular
> program both uses the Kerberos library directly (for Kerberized  
> clients)
> and the pam_krb5 PAM module (which is line #2 in the second backtrace
> above), which is called from a userspace thread (using the ucontext
> calls)? Is there some other known problem? I also call the seemingly
> undocumented function krb5_get_credentials_renew, if that might  
> matter.
>
> I'm using MIT Kerberos V 1.4.3 and a system-supplied com_err library,
> version 1.39. The system is Gentoo Linux.

I'm not familiar with that specific version of the com_err library.   
It may not be thread-safe, or at least the interfaces we depend on  
may not be.

Ken



More information about the Kerberos mailing list