Bug 119383

Summary: Generic gssapi -lgssapi broken (libgssapi-0.3-2 & nfs-utils-1.0.7-13)
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Serguei Leontiev <lse>
Component: SecurityAssignee: Forgotten User b5BnQSUi71 <forgotten_b5BnQSUi71>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: forgotten_b5BnQSUi71, leo, security-team
Version: RC 1Keywords: security
Target Milestone: ---   
Hardware: x86-64   
OS: SUSE Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Sun samples for use GSS-API

Description Serguei Leontiev 2005-09-29 00:34:37 UTC 
On x86-64 architecture:

1. can't load MIT kerberos mechanism

leo@linux:~/tmp/gss> gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi -ldl
leo@linux:~/tmp/gss> ./gss-server -port 23232 cvs@example.com
can't open /usr/lib/libgssapi_krb5.so: /usr/lib/libgssapi_krb5.so: cannot open
shared object file: No such file or directory
gss_initialize fatal error: no mechanisms loaded!

Probably invalid contetnt (or interpretation) of library names in
/etc/gssapi_mech.conf:

/usr/lib/libgssapi_krb5.so     mechglue_internal_krb5_init

If change this string to:
/usr/lib64/libgssapi_krb5.so     mechglue_internal_krb5_init

Sample client&server started.

2. But it crash:
leo@linux:~/tmp/gss> gdb ./gss-client
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library
"/lib64/tls/libthread_db.so.1".

(gdb) run -port 23232 localhost cvs@example.com Hello
Starting program: /h/home/leo/tmp/gss/gss-client -port 23232 localhost
cvs@example.com Hello
Sending init_sec_context token (size=472)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"lse@CP.RU" to "cvs/www.example.com@CP.RU", lifetime 34797, flags 136, locally
initiated, open
*** glibc detected *** free(): invalid pointer: 0x00002aaaab01040e ***

Program received signal SIGABRT, Aborted.
0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6
#1  0x00002aaaaadfe820 in abort () from /lib64/tls/libc.so.6
#2  0x00002aaaaae3301e in __libc_message () from /lib64/tls/libc.so.6
#3  0x00002aaaaae383bc in malloc_printerr () from /lib64/tls/libc.so.6
#4  0x00002aaaaae38e4c in free () from /lib64/tls/libc.so.6
#5  0x00002aaaaabc7e73 in generic_gss_release_oid ()
   from /usr/lib64/libgssapi.so.0
#6  0x00002aaaaabc77b6 in gss_release_name () from /usr/lib64/libgssapi.so.0
#7  0x0000000000401be4 in call_server (host=0x7fffffb2a0fd "localhost",
    port=23232, oid=0x0, service_name=0x7fffffb2a107 "cvs@example.com",
    deleg_flag=0, msg=0x7fffffb2a117 "Hello", use_file=0) at gss-client.c:367
#8  0x0000000000402326 in main (argc=3, argv=0x7fffffb29328)
    at gss-client.c:554
(gdb)

----------------
leo@linux:~/tmp/gss> gdb ./gss-server
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library
"/lib64/tls/libthread_db.so.1".

(gdb) run -port 23232 cvs@example.com
Starting program: /h/home/leo/tmp/gss/gss-server -port 23232 cvs@example.com
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
*** glibc detected *** free(): invalid pointer: 0x00002aaaab01040e ***

Program received signal SIGABRT, Aborted.
0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6
#1  0x00002aaaaadfe820 in abort () from /lib64/tls/libc.so.6
#2  0x00002aaaaae3301e in __libc_message () from /lib64/tls/libc.so.6
#3  0x00002aaaaae383bc in malloc_printerr () from /lib64/tls/libc.so.6
#4  0x00002aaaaae38e4c in free () from /lib64/tls/libc.so.6
#5  0x00002aaaaabc7e73 in generic_gss_release_oid ()
   from /usr/lib64/libgssapi.so.0
#6  0x00002aaaaabc77b6 in gss_release_name () from /usr/lib64/libgssapi.so.0
#7  0x00000000004018b9 in server_establish_context (s=10,
    server_creds=0x506640, context=0x7fffffdade68, client_name=0x7fffffdade90,
    ret_flags=0x7fffffdade5c) at gss-server.c:222
#8  0x0000000000401c0c in sign_server (s=10, server_creds=0x506640)
    at gss-server.c:365
#9  0x0000000000402173 in main (argc=1, argv=0x7fffffdae000)
    at gss-server.c:504
(gdb)
Comment 1 Serguei Leontiev 2005-09-29 00:44:29 UTC 
Summary correct to GSSAPI
Comment 2 Marcus Meissner 2005-09-29 08:57:22 UTC 
reassign to olaf. 
 
do you have the sample source code perhaps and can attach it here?
Comment 3 Serguei Leontiev 2005-09-29 20:21:53 UTC 
Created attachment 51179 [details]
Sun samples for use GSS-API

Description this sample show: <http://docs.sun.com/app/docs/doc/816-4863>

Complie it to use libgssapi-0.3-2 & nfs-utils-1.0.7-13

gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi -ldl
gcc -g -o gss-client gss-client.c gss-misc.c -lgssapi -ldl

P.S.
This sapmles work fine if compile it with krb5-devel-1.4.1-5, e.g.:

gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi_krb5
gcc -g -o gss-client gss-client.c gss-misc.c -lgssapi_krb5
Comment 4 Forgotten User b5BnQSUi71 2005-10-11 10:18:47 UTC 
The issue was with the libgssapi code attempting to free the static storage,
resulting in access violation. This code path/flow may not have been used by
normal NFSv4 operations (as it didn't crash), but has been exploited by Solaris
sample code. 

The issue has been fixed in libgssapi-0.4 and subsequently is available in the
latest libgssapi-0.5. libgssapi will be updated during the next release.