crash in krb5kdc

Sushmita Bhattacharya sushmita.bhattacharya at oracle.com
Thu Apr 1 01:26:33 EDT 2021


Hi,

I am facing an issue with a Kerberos(krb5kdc) crash in process_tgs_req function, krb5 version 1.15.1. Backtrace below:-

(gdb) bt
#0  0x00007fec38d8d387 in raise () from /lib64/libc.so.6
#1  0x00007fec38d8ea78 in abort () from /lib64/libc.so.6
#2  0x00007fec38d861a6 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fec38d86252 in __assert_fail () from /lib64/libc.so.6
#4  0x00007fec3046d353 in ldap_get_values_len () from
/lib64/libldap_r-2.4.so.2
#5  0x00007fec3201422e in ipadb_ldap_attr_to_int () from
/usr/lib64/krb5/plugins/kdb/ipadb.so
#6  0x00007fec320173cb in ipadb_parse_ldap_entry () from
/usr/lib64/krb5/plugins/kdb/ipadb.so
#7  0x00007fec3201832b in ipadb_get_principal () from
/usr/lib64/krb5/plugins/kdb/ipadb.so
#8  0x00007fec3a918bb7 in krb5_db_get_principal () from /lib64/libkdb5.so.8
#9  0x000056443d95fff2 in kdc_get_server_key ()
#10 0x000056443d9603ce in kdc_process_tgs_req ()
#11 0x000056443d95ac97 in process_tgs_req ()
#12 0x000056443d958df3 in dispatch ()
#13 0x000056443d96c950 in process_tcp_connection_read ()
#14 0x00007fec39127b48 in verto_fire () from /lib64/libverto.so.1
#15 0x00007fec31242b13 in tevent_common_invoke_fd_handler () from
/lib64/libtevent.so.0
#16 0x00007fec31249087 in epoll_event_loop_once () from /lib64/libtevent.so.0
#17 0x00007fec31247057 in std_event_loop_once () from /lib64/libtevent.so.0
#18 0x00007fec3124225d in _tevent_loop_once () from /lib64/libtevent.so.0
#19 0x00007fec3912731f in verto_run () from /lib64/libverto.so.1
#20 0x000056443d957af6 in main ()
(gdb) q


We observed this crash with kerberos version 1.15.1.

The issue is that the ldap handle passed from function process_tgs_req , to function ipadb_parse_ldap_entry and eventually to openldap, is an invalid LDAP handle. Hence there is an assert failure in function ldap_get_values_len.


(gdb) f 4
#4  0x00007fec3046d353 in ldap_get_values_len (ld=ld at entry=0x56443f44b850,
entry=entry at entry=0x56443f5c4fe0,
    target=target at entry=0x7fec3202192b "krbTicketFlags") at getvalues.c:98
98              assert( LDAP_VALID( ld ) );
(gdb) p ld->ldc->ldc_options.ldo_valid
$1 = -17435
(gdb) p/x ld->ldc->ldc_options.ldo_valid
$2 = 0xbbe5
(gdb) f 5
#5  0x00007fec3201422e in ipadb_ldap_attr_to_int
(lcontext=lcontext at entry=0x56443f44b850, le=le at entry=0x56443f5c4fe0,
    attrname=attrname at entry=0x7fec3202192b "krbTicketFlags",
result=result at entry=0x7ffcdd2accc4) at ipa_kdb_common.c:383
383         vals = ldap_get_values_len(lcontext, le, attrname);

(gdb) f 7
#7  0x00007fec3201832b in ipadb_get_principal (kcontext=0x56443f47b920,
search_for=<optimized out>, flags=8192, entry=0x7ffcdd2acec8)
    at ipa_kdb_principals.c:1311
1311        kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry,
&pol);
(gdb)


Any ideas on this issue ? Is there a specific fix available ? It looks like someone reported a similar crash here : https://pagure.io/freeipa/issue/5633, but there was no fix documented, and it got closed as there was insufficient info. Any help will be much appreciated.

Thanks,
Sushmita


More information about the Kerberos mailing list