Learn more about these different git repos.
Other Git URLs
We believe there is a memory leak in the sssd_pac_plugin (sssd_pac_plugin.so library) distributed with the sssd_client package. This has been found on a machine running the following versions of kerberos and sssd :
krb5-workstation-1.10.3-33.el6.x86_64 krb5-libs-1.10.3-33.el6.i686 krb5-libs-1.10.3-33.el6.x86_64 sssd-client-1.12.4-47.el6.x86_64
The issue was revealed in one of our daemons using kerberos 5 authentication and leaking gigabytes of memory after several days (1GB/day on average for 10 authentications per second). Putting it in valgrind, we found the following :
==27734== 1,344 (+1,344) (32 (+32) direct, 1,312 (+1,312) indirect) bytes in 1 (+1) blocks are definitely lost in loss record 484 of 540 ==27734== at 0x4A06A2E: malloc (vg_replace_malloc.c:270) ==27734== by 0x50D96C2: krb5_pac_init (pac.c:231) ==27734== by 0x50D9D2D: krb5_pac_parse (pac.c:332) ==27734== by 0x19C70CA6: sssdpac_verify (sssd_pac.c:144) ==27734== by 0x50C1E52: krb5int_authdata_verify (authdata.c:617) ==27734== by 0x50E19CF: rd_req_decoded_opt (rd_req_dec.c:437) ==27734== by 0x50E1A59: krb5_rd_req_decoded (rd_req_dec.c:599) ==27734== by 0x50E0A88: krb5_rd_req (rd_req.c:87) ==27734== by 0x4E49770: kg_accept_krb5 (accept_sec_context.c:643) ==27734== by 0x4E4B0A9: krb5_gss_accept_sec_context_ext (accept_sec_context.c:1338) ==27734== by 0x4E4B208: krb5_gss_accept_sec_context (accept_sec_context.c:1367) ==27734== by 0x4E3AC22: gss_accept_sec_context (g_accept_sec_context.c:203) ==27734== by 0x19A6C728: Csec_server_establish_context_ext_KRB5 (Csec_plugin_GSS.c:482) ==27734== by 0x834EBC2: Csec_server_establish_context_ext_caller (Csec_plugin.h:129) ==27734== by 0x835416A: Csec_server_establish_context_ext (Csec_api.c:277) ==27734== by 0x8353FE4: Csec_server_establishContext (Csec_api.c:218) ==27734== by 0x406407: doit (Cns_main.c:747) ==27734== by 0x8129420: _Cpool_starter (Cpool.c:377) ==27734== by 0x8124914: _Cthread_start_pthread (Cthread.c:209) ==27734== by 0x30CCA07A50: start_thread (pthread_create.c:301) ==27734== by 0x30CC6E89AC: clone (clone.S:115)
The study of the corresponding code clearly shows a genuine bug introduced in sssd_client via commit 92af6f2 in May 2013. Here are the details : - in krb5int_authdata_verify (authdata.c:617), so krb5 code, the plugin is called :
code = (*module->ftable->verify)(kcontext, context, module->plugin_context, *(module->request_context_pp), auth_context, key, ap_req); - this calls sssdpac_verify (sssd_pac.c:144) and the code looks like this (I've dropped irrelevant lines and commented) : krb5_pac pac; // krb5_pac is actually a pointer type ... kerr = krb5_pac_parse(kcontext, sssdctx->data.data, // allocation of the pac pointer from input data sssdctx->data.length, &pac); ... kerr = krb5_pac_verify(kcontext, pac, // verification of the pac content req->ticket->enc_part2->times.authtime, req->ticket->enc_part2->client, key, NULL); ... // no reference to pac return 0; // memory leak! - I did check the code of parse and verify, and they are doing what you expect, so no hidden ref count or anything special.
So according to all this, the patch to the leak is the following :
diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c index 1939f61..1d1fe8a 100644 --- a/src/sss_client/sssd_pac.c +++ b/src/sss_client/sssd_pac.c @@ -150,6 +150,10 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext, kerr = krb5_pac_verify(kcontext, pac, req->ticket->enc_part2->times.authtime, req->ticket->enc_part2->client, key, NULL); + // deallocate pac - fixes memory leak reported in bug ... + krb5_pac_free(kcontext, pac); + pac = NULL; + // check result of the verification if (kerr != 0) { /* The krb5 documentation says: * A checksum mismatch can occur if the PAC was copied from a
Could you confirm that it is the case ?
We reproduced the bug on RHEL6 version and reported it to Red Hat support, but latest upstream git seems affected so I decided to create this bug report.
attachment 0001-Fix-memory-leak-in-sssdpac_verify.patch
Fields changed
owner: somebody => sbose status: new => assigned
Thank you for the patch I verified that it fixes the memleak with valgrind. I'll send the patch to sssd-devel for completeness to make others aware of it.
master: b4c44eb
milestone: NEEDS_TRIAGE => SSSD 1.13.1 patch: 0 => 1 resolution: => fixed status: assigned => closed
rhbz: => todo
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1267176 (Red Hat Enterprise Linux 7)
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1267176 1267176]
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1272051 (Red Hat Enterprise Linux 6)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1267176 1267176] => [https://bugzilla.redhat.com/show_bug.cgi?id=1267176 1267176], [https://bugzilla.redhat.com/show_bug.cgi?id=1272051 1272051]
Metadata Update from @alphacc: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3844
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.