[krbdev.mit.edu #8771] ccache refcount bug due to ticket 8202 backport
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Sun Jan 6 12:33:58 EST 2019
Ticket 8202 ("Fix bugs with concurrent use of MEMORY ccaches")
contains a serious bug: krb5_mcc_ptcursor_next() yields ccache
objects without increasing their refcounts. When the caller closes
its handle, the refcount decreases, freeing the ccache data object
while there are still references to it.
The per-type cursor implementation was also subject to pre-existing
concurrent use bugs where the next cache was destroyed (and therefore
removed from the list) before it was yielded.
On the master branch, both problems were soon fixed by ticket 8720
("Don't include all MEMORY ccaches in collection") which rewrites
krb5_mcc_ptcursor_next(). However, the backport of ticket 8202
caused a regression in 1.15.4 and 1.16.2. The bug was reported to
Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918088) by
Andreas Maus, who observed it in the context of autofs and Cyrus
SASL. autofs creates a MEMORY ccache, acquires tickets into it using
the default keytab, sets the KRB5CCNAME environment variable to point
to the new ccache, and then invokes SASL which does
gss_init_sec_context(). gss_init_sec_context() invokes
krb5_cccol_have_content(), which iterates over the collection.
The simplest fix is to backport ticket 8720.
More information about the krb5-bugs
mailing list