About Memory Leak of kinit with pkinit Plugin

Greg Hudson ghudson at mit.edu
Mon Sep 22 11:56:56 EDT 2014

On 09/22/2014 04:17 AM, Zhou Yang wrote:
> I'm trying to transplant kinit (for AS, the lastest version *1.12.2*) into
> a daemon program. But when I tested the stability of this feature (by
> infinite loop), a memory leak problem was found.
> * 57,328 (176 direct, 57,152 indirect) bytes in 1 blocks are definitely
> lost in loss record 568 of 568*

I believe you are seeing heap memory which is allocated by OpenSSL
during initialization and never cleaned up.  valgrind detects it as
leaked because the OpenSSL library has been unloaded by the time the
process exits.

We cannot currently tell OpenSSL to clean up its heap memory, because we
cannot know whether OpenSSL is being used by the application or by
another library.

This only becomes an unbounded memory leak if the PKINIT module (and
therefore OpenSSL) is repeatedly loaded and unloaded as a result of the
application's krb5 usage.  If the application uses the same krb5_context
for all AS-REQs, or is itself linked against OpenSSL, there won't be an
unbounded leak.

In 1.13 (due out soon) we open plugin modules with RTLD_NODELETE where
available, which precludes this repeated load-unload scenario and can
also improve performance.

More information about the krbdev mailing list