An automated test encountered a crash in a situation where a user's credentials cache had incorrect permissions. Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75384]: Received disconnect from ::1 port 56666:11: disconnected by user Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75384]: Disconnected from user Amy ::1 port 56666 Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_unix(sshd:session): session closed for user amy Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: [2020/03/01 10:33:34.892027, 0] ../../source3/winbindd/winbindd_cred_cache.c:742(remove_ccache) Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: remove_ccache: failed to destroy user krb5 ccache FILE:/tmp/krb5cc_2001104 with: Credentials cache permissions incorrect Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: [2020/03/01 10:33:34.892186, 0] ../../source3/winbindd/winbindd_pam.c:2988(winbindd_dual_pam_logoff) Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: winbindd_pam_logoff: failed to remove ccache: NT_STATUS_UNSUCCESSFUL Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_UNSUCCESSFUL, Error message was: {Operation Failed} The requested operat Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'amy') Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): failed to logoff user amy: WBC_ERR_AUTH_ERROR Mar 01 10:33:34 sweetpig-12.ad.baseos.qe kernel: traps: sshd[75377] general protection fault ip:7f82f6986687 sp:7fffa0d9aed8 error:0 in libc-2.28.so[7f82f6829000+1b9000] It looks like the failure happened in _pam_delete_cred() on the way to process the error .... wbc_status = wbcCtxLogoffUserEx(ctx->wbc_ctx, &logoff, &error); retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status, user, "wbcLogoffUser"); wbcFreeMemory(error); wbcFreeMemory(logoff.blobs); logoff.blobs = NULL; if (!WBC_ERROR_IS_OK(wbc_status)) { _pam_log(ctx, LOG_INFO, "failed to logoff user %s: %s\n", user, wbcErrorString(wbc_status)); } } out: if (logoff.blobs) { wbcFreeMemory(logoff.blobs); } if (!WBC_ERROR_IS_OK(wbc_status)) { retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status, user, "wbcLogoffUser"); } _pam_log() showed the last error line before the crash and since the stacktrace shows wbc_auth_error_to_pam_error(), this is the last call that failed, after 'out' label. 'error' was already freed before but the pointer wasn't cleared so in wbc_auth_error_to_pam_error() we try to access error structure that is already freed which may lead to a garbage content.
Created attachment 15875 [details] patch from master for v4.12 and v4.11
Comment on attachment 15875 [details] patch from master for v4.12 and v4.11 LGTM
Karolin, please add to 4.12 and 4.11, thanks!
(In reply to Guenther Deschner from comment #4) Pushed to autobuild-v4-{12,11}-test.
(In reply to Karolin Seeger from comment #5) Pushed to both branches. Closing out bug report. Thanks!