[krbdev.mit.edu #8596] kinit segfault with Heimdal server

Wed Jul 5 16:21:53 EDT 2017

Hi,

The following sequence, where REALM has a Heimdal kdc, leads to kinit
dumping core:

$ kinit user at REALM
Password for user at REALM: <hit ctrl-c here>
Password for user at REALM: <hit enter here>
Segmentation fault (core dumped)

First encountered on Fedora 26
(krb5-workstation-1.15.1-8.fc26.x86_64), but also reproduces on Fedora
25 and Centos 7.

The core backtrace looks like:
(gdb) bt

#0  krb5_c_fx_cf2_simple (context=context at entry=0x560a3e1de0d0,
k1=k1 at entry=0x0, pepper1=pepper1 at entry=0x7fb40acdca01
"clientchallengearmor", k2=0x560a3e1decb0,
    pepper2=pepper2 at entry=0x7fb40acdc9dd "challengelongterm",
out=out at entry=0x7ffdf2e6b3b0) at cf2.c:139
#1  0x00007fb40aca977c in ec_process (context=0x560a3e1de0d0,
moddata=<optimized out>, modreq=<optimized out>, opt=<optimized out>,
cb=0x7fb40af300c0 <callbacks>,
    rock=0x560a3e1deb20, request=0x560a3e1ded20,
encoded_request_body=0x560a3e1e2320,
encoded_previous_request=0x560a3e1e0600, padata=0x560a3e1e1b20,
    prompter=0x560a3dca8350 <kinit_prompter>,
prompter_data=0x7ffdf2e6cb40, out_padata=0x7ffdf2e6b500) at
preauth_ec.c:107
#2  0x00007fb40aca90a9 in clpreauth_process
(pa_data_out=0x7ffdf2e6b500, prompter_data=<optimized out>,
prompter=<optimized out>, pa_data=0x560a3e1e1b20,
    prev_req=<optimized out>, req_body=<optimized out>, req=<optimized
out>, rock=0x560a3e1deb20, cb=0x7fb40af300c0 <callbacks>,
opt=<optimized out>, h=0x560a3e1e0380,
    context=0x560a3e1de0d0) at preauth2.c:281
#3  process_pa_data (out_type=0x560a3e1dece8,
out_pa_list_size=0x7ffdf2e6b4e4, out_pa_list=0x7ffdf2e6b4e8,
must_preauth=1, in_pa_list=0x560a3e1fa490,
    ctx=0x560a3e1deb20, context=0x560a3e1de0d0) at preauth2.c:611
#4  k5_preauth (context=context at entry=0x560a3e1de0d0,
ctx=ctx at entry=0x560a3e1deb20, in_padata=0x560a3e1fa490,
must_preauth=1, padata_out=0x560a3e1ded28,
    pa_type_out=pa_type_out at entry=0x560a3e1dece8) at preauth2.c:984
#5  0x00007fb40ac99b65 in init_creds_step_request (out=0x7ffdf2e6b6b0,
ctx=0x560a3e1deb20, context=0x560a3e1de0d0) at get_in_tkt.c:1354
#6  krb5_init_creds_step (context=0x560a3e1de0d0, ctx=0x560a3e1deb20,
in=<optimized out>, out=0x7ffdf2e6b6b0, realm=0x7ffdf2e6b6d0,
flags=0x7ffdf2e6b6a8)
    at get_in_tkt.c:1717
#7  0x00007fb40ac9a622 in k5_init_creds_get
(context=context at entry=0x560a3e1de0d0, ctx=0x560a3e1deb20,
use_master=use_master at entry=0x7ffdf2e6b868) at get_in_tkt.c:624
#8  0x00007fb40ac9a774 in k5_get_init_creds
(context=context at entry=0x560a3e1de0d0,
creds=creds at entry=0x7ffdf2e6cb90, client=client at entry=0x560a3e1de480,
    prompter=prompter at entry=0x560a3dca8350 <kinit_prompter>,
prompter_data=prompter_data at entry=0x7ffdf2e6cb40,
start_time=start_time at entry=0, in_tkt_service=0x0,
    options=0x560a3e1dea70, gak_fct=0x7fb40ac9c250
<krb5_get_as_key_password>, gak_data=0x7ffdf2e6b8d0,
use_master=0x7ffdf2e6b868, as_reply=0x7ffdf2e6b870)
    at get_in_tkt.c:1783
#9  0x00007fb40ac9c823 in krb5_get_init_creds_password
(context=0x560a3e1de0d0, creds=0x7ffdf2e6cb90, client=0x560a3e1de480,
password=0x0,
    prompter=0x560a3dca8350 <kinit_prompter>, data=0x7ffdf2e6cb40,
start_time=0, in_tkt_service=0x0, options=0x560a3e1dea70) at
gic_pwd.c:317
#10 0x0000560a3dca8074 in k5_kinit (k5=0x7ffdf2e6cb60,
opts=0x7ffdf2e6cc10) at kinit.c:819
#11 main (argc=<optimized out>, argv=<optimized out>) at kinit.c:948

.. where it is derefencing the NULL armor_key pointer.

Testing against an MIT server, the ctrl-C results in:
kinit: Password read interrupted while getting initial credentials

but here the call stack where the prompting occurs is quite different,
and the KRB5_LIBOS_PWDINTR from the prompter function is lost in the
process_pa_data loop.

Not sure if that's the right solution (although it seems logical), but
checking for KRB5_LIBOS_PWDINTR and bailing out there gives a similar
behaviour to the MIT server one.  See attached experimental patch.

Thanks,
Marc