About Memory Leak of kinit with pkinit Plugin

Simo Sorce simo at redhat.com
Mon Sep 22 15:15:14 EDT 2014

On Mon, 22 Sep 2014 11:56:56 -0400
Greg Hudson <ghudson at mit.edu> wrote:

> On 09/22/2014 04:17 AM, Zhou Yang wrote:
> > I'm trying to transplant kinit (for AS, the lastest version
> > *1.12.2*) into a daemon program. But when I tested the stability of
> > this feature (by infinite loop), a memory leak problem was found.
> [...]
> > * 57,328 (176 direct, 57,152 indirect) bytes in 1 blocks are
> > definitely lost in loss record 568 of 568*
> I believe you are seeing heap memory which is allocated by OpenSSL
> during initialization and never cleaned up.  valgrind detects it as
> leaked because the OpenSSL library has been unloaded by the time the
> process exits.
> We cannot currently tell OpenSSL to clean up its heap memory, because
> we cannot know whether OpenSSL is being used by the application or by
> another library.
> This only becomes an unbounded memory leak if the PKINIT module (and
> therefore OpenSSL) is repeatedly loaded and unloaded as a result of
> the application's krb5 usage.  If the application uses the same
> krb5_context for all AS-REQs, or is itself linked against OpenSSL,
> there won't be an unbounded leak.
> In 1.13 (due out soon) we open plugin modules with RTLD_NODELETE where
> available, which precludes this repeated load-unload scenario and can
> also improve performance.

PAM modules are loaded and unloaded at each use, I wonder if this will
causes issues (or merely keep the leak in check) in pam_krb5 when
pkinit is configured.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list