Bugzilla – Bug 119383
Generic gssapi -lgssapi broken (libgssapi-0.3-2 & nfs-utils-1.0.7-13)
Last modified: 2005-10-11 10:18:47 UTC
On x86-64 architecture: 1. can't load MIT kerberos mechanism leo@linux:~/tmp/gss> gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi -ldl leo@linux:~/tmp/gss> ./gss-server -port 23232 cvs@example.com can't open /usr/lib/libgssapi_krb5.so: /usr/lib/libgssapi_krb5.so: cannot open shared object file: No such file or directory gss_initialize fatal error: no mechanisms loaded! Probably invalid contetnt (or interpretation) of library names in /etc/gssapi_mech.conf: /usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init If change this string to: /usr/lib64/libgssapi_krb5.so mechglue_internal_krb5_init Sample client&server started. 2. But it crash: leo@linux:~/tmp/gss> gdb ./gss-client GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library "/lib64/tls/libthread_db.so.1". (gdb) run -port 23232 localhost cvs@example.com Hello Starting program: /h/home/leo/tmp/gss/gss-client -port 23232 localhost cvs@example.com Hello Sending init_sec_context token (size=472)...continue needed... context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG "lse@CP.RU" to "cvs/www.example.com@CP.RU", lifetime 34797, flags 136, locally initiated, open *** glibc detected *** free(): invalid pointer: 0x00002aaaab01040e *** Program received signal SIGABRT, Aborted. 0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6 (gdb) bt #0 0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6 #1 0x00002aaaaadfe820 in abort () from /lib64/tls/libc.so.6 #2 0x00002aaaaae3301e in __libc_message () from /lib64/tls/libc.so.6 #3 0x00002aaaaae383bc in malloc_printerr () from /lib64/tls/libc.so.6 #4 0x00002aaaaae38e4c in free () from /lib64/tls/libc.so.6 #5 0x00002aaaaabc7e73 in generic_gss_release_oid () from /usr/lib64/libgssapi.so.0 #6 0x00002aaaaabc77b6 in gss_release_name () from /usr/lib64/libgssapi.so.0 #7 0x0000000000401be4 in call_server (host=0x7fffffb2a0fd "localhost", port=23232, oid=0x0, service_name=0x7fffffb2a107 "cvs@example.com", deleg_flag=0, msg=0x7fffffb2a117 "Hello", use_file=0) at gss-client.c:367 #8 0x0000000000402326 in main (argc=3, argv=0x7fffffb29328) at gss-client.c:554 (gdb) ---------------- leo@linux:~/tmp/gss> gdb ./gss-server GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library "/lib64/tls/libthread_db.so.1". (gdb) run -port 23232 cvs@example.com Starting program: /h/home/leo/tmp/gss/gss-server -port 23232 cvs@example.com context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG *** glibc detected *** free(): invalid pointer: 0x00002aaaab01040e *** Program received signal SIGABRT, Aborted. 0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6 (gdb) bt #0 0x00002aaaaadfd3ea in raise () from /lib64/tls/libc.so.6 #1 0x00002aaaaadfe820 in abort () from /lib64/tls/libc.so.6 #2 0x00002aaaaae3301e in __libc_message () from /lib64/tls/libc.so.6 #3 0x00002aaaaae383bc in malloc_printerr () from /lib64/tls/libc.so.6 #4 0x00002aaaaae38e4c in free () from /lib64/tls/libc.so.6 #5 0x00002aaaaabc7e73 in generic_gss_release_oid () from /usr/lib64/libgssapi.so.0 #6 0x00002aaaaabc77b6 in gss_release_name () from /usr/lib64/libgssapi.so.0 #7 0x00000000004018b9 in server_establish_context (s=10, server_creds=0x506640, context=0x7fffffdade68, client_name=0x7fffffdade90, ret_flags=0x7fffffdade5c) at gss-server.c:222 #8 0x0000000000401c0c in sign_server (s=10, server_creds=0x506640) at gss-server.c:365 #9 0x0000000000402173 in main (argc=1, argv=0x7fffffdae000) at gss-server.c:504 (gdb)
Summary correct to GSSAPI
reassign to olaf. do you have the sample source code perhaps and can attach it here?
Created attachment 51179 [details] Sun samples for use GSS-API Description this sample show: <http://docs.sun.com/app/docs/doc/816-4863> Complie it to use libgssapi-0.3-2 & nfs-utils-1.0.7-13 gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi -ldl gcc -g -o gss-client gss-client.c gss-misc.c -lgssapi -ldl P.S. This sapmles work fine if compile it with krb5-devel-1.4.1-5, e.g.: gcc -g -o gss-server gss-server.c gss-misc.c -lgssapi_krb5 gcc -g -o gss-client gss-client.c gss-misc.c -lgssapi_krb5
The issue was with the libgssapi code attempting to free the static storage, resulting in access violation. This code path/flow may not have been used by normal NFSv4 operations (as it didn't crash), but has been exploited by Solaris sample code. The issue has been fixed in libgssapi-0.4 and subsequently is available in the latest libgssapi-0.5. libgssapi will be updated during the next release.