Bug 14327 - pam_winbind segfault when dereferencing freed error struct in _pam_delete_cred
Summary: pam_winbind segfault when dereferencing freed error struct in _pam_delete_cred
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-27 09:21 UTC by Guenther Deschner
Modified: 2020-04-03 10:58 UTC (History)
1 user (show)

See Also:


Attachments
patch from master for v4.12 and v4.11 (1.46 KB, patch)
2020-03-30 14:06 UTC, Guenther Deschner
ab: review+
gd: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2020-03-27 09:21:08 UTC

    
Comment 1 Alexander Bokovoy 2020-03-27 09:37:32 UTC
An automated test encountered a crash in a situation where a user's credentials cache had incorrect permissions.

Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75384]: Received disconnect from ::1 port 56666:11: disconnected by user
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75384]: Disconnected from user Amy ::1 port 56666
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_unix(sshd:session): session closed for user amy
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: [2020/03/01 10:33:34.892027,  0] ../../source3/winbindd/winbindd_cred_cache.c:742(remove_ccache)
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]:   remove_ccache: failed to destroy user krb5 ccache FILE:/tmp/krb5cc_2001104 with: Credentials cache permissions incorrect
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]: [2020/03/01 10:33:34.892186,  0] ../../source3/winbindd/winbindd_pam.c:2988(winbindd_dual_pam_logoff)
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe winbindd[75109]:   winbindd_pam_logoff: failed to remove ccache: NT_STATUS_UNSUCCESSFUL
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_UNSUCCESSFUL, Error message was: {Operation Failed} The requested operat
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'amy')
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe sshd[75377]: pam_winbind(sshd:setcred): failed to logoff user amy: WBC_ERR_AUTH_ERROR
Mar 01 10:33:34 sweetpig-12.ad.baseos.qe kernel: traps: sshd[75377] general protection fault ip:7f82f6986687 sp:7fffa0d9aed8 error:0 in libc-2.28.so[7f82f6829000+1b9000]

It looks like the failure happened in _pam_delete_cred() on the way to process the error
....

                wbc_status = wbcCtxLogoffUserEx(ctx->wbc_ctx, &logoff, &error);
                retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                                     user, "wbcLogoffUser");
                wbcFreeMemory(error);
                wbcFreeMemory(logoff.blobs);
                logoff.blobs = NULL;

                if (!WBC_ERROR_IS_OK(wbc_status)) {
                        _pam_log(ctx, LOG_INFO,
                                 "failed to logoff user %s: %s\n",
                                         user, wbcErrorString(wbc_status));
                }
        }

out:
        if (logoff.blobs) {
                wbcFreeMemory(logoff.blobs);
        }

        if (!WBC_ERROR_IS_OK(wbc_status)) {
                retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                     user, "wbcLogoffUser");
        }

_pam_log() showed the last error line before the crash and since the stacktrace shows wbc_auth_error_to_pam_error(), this is the last call that failed, after 'out' label. 'error' was already freed before but the pointer wasn't cleared so in wbc_auth_error_to_pam_error() we try to access error structure that is already freed which may lead to a garbage content.
Comment 2 Guenther Deschner 2020-03-30 14:06:51 UTC
Created attachment 15875 [details]
patch from master for v4.12 and v4.11
Comment 3 Alexander Bokovoy 2020-03-30 14:40:24 UTC
Comment on attachment 15875 [details]
patch from master for v4.12 and v4.11

LGTM
Comment 4 Guenther Deschner 2020-03-30 15:23:09 UTC
Karolin, please add to 4.12 and 4.11, thanks!
Comment 5 Karolin Seeger 2020-03-31 13:59:32 UTC
(In reply to Guenther Deschner from comment #4)
Pushed to autobuild-v4-{12,11}-test.
Comment 6 Karolin Seeger 2020-04-03 10:58:24 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!