Crash in MIT Kerberos 5 v1.8.3 gss_export_sec_context() for Initiator

Rex, Martin martin.rex at sap.com
Fri Dec 17 11:22:35 EST 2010 

Hi,

I received a crash report from one of our customers who is
trying to set up MIT Kerberos 5 v1.8.3 for Single Sign-On
and has used our "gsstest" to check for interop prerequisites.
(ftp://ftp.sap.com/pub/ietf-work/gssapi/gsstest)

The customer was faced with a crash/core dump when gsstest
tries to export the Initiator's(!) security context (call stack below).

Exporting the *Acceptors* security context succeeds according
to gsstests own debug output, the problem appears to be specific/limited
to calling gss_export_sec_context() for the Initiator.

The (brief) version infos included by the customer is

   System:        Sun Solaris 10 
   KrbLib:        MIT Kerberos5 1.8.3 


The problem seems to be in the serializer, trying to serialize
non-existend auth_data (NULL pointer), which the authdata code
seems not prepared to deal with.

(To me "auth_data" sounds like the PAC that Active Directory
 stuffs into tickets.  I assume that PAC data only exists on
 the acceptor ends of security contexts (as a result of
 opening a ticket and finding the PAC

 Would an acceptor receiving a "traditional" Kerberos ticket
 from an older MIT Kerberos KDC without PAC run into the
 same problem when calling gss_export_sec_context()? ).



-Martin




root at sp11in # dbx sun_64/gsstest core 

Reading gsstest 
core file header read successfully 
Reading ld.so.1 
Reading libw.so.1 
Reading libdl.so.1 
Reading libnsl.so.1 
Reading libpthread.so.1 
Reading libthread.so.1 
Reading libc.so.1 
Reading libc_psr.so.1 
Reading snckrb5.so 
Reading libgssapi_krb5.so.2.2 
Reading libkrb5.so.3.3 
Reading libk5crypto.so.3.1 
Reading libcom_err.so.3.0 
Reading libkrb5support.so.0.1 
Reading libresolv.so.2 
Reading libsocket.so.1 
detected a multithreaded program 
program terminated by signal SEGV (no mapping at the fault address) 
0xffffffff7e0a0de8: k5_ad_size+0x0060:  ldsw    [%l0 + 0x4], %l1 
Current function is sapgss_export_sec_context 
  910      return( gss_export_sec_context( min_stat, in_ctx, out_buffer ) ); 
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where 
current thread: t at 1 
  [1] k5_ad_size(0x1000c58e0, 0x0, 0xf, 0xffffffff7fffec60, 0xffffffff7ef00200, 0x0), at 0xffffffff7e0a0de8 
  [2] krb5_authdata_context_size(0x1000c58e0, 0x0, 0xffffffff7fffec60, 0x1000c6f80, 0x0, 0xa), at 0xffffffff7e0a3340 
  [3] krb5_size_opaque(0x1000c58e0, 0xffffffff970ea73c, 0x0, 0xffffffff7fffec60, 0x15, 0x0), at 0xffffffff7e1471cc 
  [4] kg_ctx_size(0x1000c58e0, 0x1000c7d10, 0xffffffff7fffed68, 0xffffffff7e5d7e84, 0x1000c7d10, 0x0), at 0xffffffff7e4b3440 
  [5] krb5_gss_export_sec_context(0xffffffff7ffff0ac, 0x1000b6ab0, 0xffffffff7fffee68, 0xffffffff7ebacfc4, 0x1000bd6a0, 0x0), at 0xffffffff7e47a9f4 
  [6] gss_export_sec_context(0xffffffff7ffff0ac, 0x1000c2948, 0xffffffff7ffff220, 0x1000a26a8, 0x1000bc780, 0x1000b6aa0), at 0xffffffff7e431cd4 
=>[7] sapgss_export_sec_context(min_stat = 0xffffffff7ffff0ac, in_ctx = 0x1000c2948, out_buffer = 0xffffffff7ffff220), line 910 in "snckrb5.c" 
  [8] export_sec_context(p_trclevel = 4, p_gssfp = 0x1000b42f0, p_usagetype = CTX_INITIATOR, pp_ctx = 0x1000c2948, p_export_token = 0xffffffff7ffff220, pp_maj_stat = 0xffffffff7ffff20c), line 725 in "contexts.c" 
  [9] ctx_transfer_cycle(p_trclevel = 4, p_ctx = 0x1000c28f0), line 1797 in "contexts.c" 
  [10] tstm_act_entry(p_trclevel = 4, p_test_title = 0x100095398 "", p_timing = 1, p_step = 0x100090aa0, pp_ini = 0x1000bd400, pp_acc = 0x1000bce20, pp_queue_ini = 0xffffffff7ffff4e0, pp_queue_acc = 0xffffffff7ffff4d8, pp_maj_stat = 0xffffffff7ffff4bc), line 2005 in "msg_prot.c" 
  [11] test_message_exchange(p_trclevel = 4, p_test_title = 0x100095398 "", p_timing = 1, p_job = 0x100090a00, pp_ini = 0x1000bd400, pp_acc = 0x1000bce20, pp_queue_ini = (nil), pp_queue_acc = (nil), pp_success = 0xffffffff7ffff634), line 2227 in "msg_prot.c" 
  [12] sap_try_context(p_trclevel = 4, p_flags = 310U, p_lifetime = 4294967295U, p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0, p_ini_cred_type = SNC_SIMPLE_CRED, p_acc_cred_type = SNC_GSSNAMED_CRED, p_target = 0x1000c27b0 "SAPServiceSEP/corp.ad.emb at CORP.AD.EMBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", p_target_len = 37U, p_count = 1U), line 1688 in "contexts.c" 
  [13] context_tests(p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0), line 76 in "contexts.c" 
  [14] parent_main(p_gssfp_ini = 0x1000b42f0, p_gssfp_acc = 0x1000b42f0), line 725 in "gsstest.c" 
  [15] main(argc = 8, argv = 0xffffffff7ffffa58), line 516 in "gsstest.c" 
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) quit

More information about the krbdev mailing list