#2803 Memory leak / possible DoS with krb auth.
Closed: Fixed None Opened 3 years ago by alphacc.

We believe there is a memory leak in the sssd_pac_plugin
(sssd_pac_plugin.so library) distributed with the sssd_client package.
This has been found on a machine running the following versions of
kerberos and sssd :

  krb5-workstation-1.10.3-33.el6.x86_64
  krb5-libs-1.10.3-33.el6.i686
  krb5-libs-1.10.3-33.el6.x86_64
  sssd-client-1.12.4-47.el6.x86_64

The issue was revealed in one of our daemons using kerberos 5
authentication and leaking gigabytes of memory after several days
(1GB/day on average for 10 authentications per second). Putting it in
valgrind, we found the following :

==27734== 1,344 (+1,344) (32 (+32) direct, 1,312 (+1,312) indirect) bytes in 1 (+1) blocks are definitely lost in loss record 484 of 540
==27734==    at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==27734==    by 0x50D96C2: krb5_pac_init (pac.c:231)
==27734==    by 0x50D9D2D: krb5_pac_parse (pac.c:332)
==27734==    by 0x19C70CA6: sssdpac_verify (sssd_pac.c:144)
==27734==    by 0x50C1E52: krb5int_authdata_verify (authdata.c:617)
==27734==    by 0x50E19CF: rd_req_decoded_opt (rd_req_dec.c:437)
==27734==    by 0x50E1A59: krb5_rd_req_decoded (rd_req_dec.c:599)
==27734==    by 0x50E0A88: krb5_rd_req (rd_req.c:87)
==27734==    by 0x4E49770: kg_accept_krb5 (accept_sec_context.c:643)
==27734==    by 0x4E4B0A9: krb5_gss_accept_sec_context_ext (accept_sec_context.c:1338)
==27734==    by 0x4E4B208: krb5_gss_accept_sec_context (accept_sec_context.c:1367)
==27734==    by 0x4E3AC22: gss_accept_sec_context (g_accept_sec_context.c:203)
==27734==    by 0x19A6C728: Csec_server_establish_context_ext_KRB5 (Csec_plugin_GSS.c:482)
==27734==    by 0x834EBC2: Csec_server_establish_context_ext_caller (Csec_plugin.h:129)
==27734==    by 0x835416A: Csec_server_establish_context_ext (Csec_api.c:277)
==27734==    by 0x8353FE4: Csec_server_establishContext (Csec_api.c:218)
==27734==    by 0x406407: doit (Cns_main.c:747)
==27734==    by 0x8129420: _Cpool_starter (Cpool.c:377)
==27734==    by 0x8124914: _Cthread_start_pthread (Cthread.c:209)
==27734==    by 0x30CCA07A50: start_thread (pthread_create.c:301)
==27734==    by 0x30CC6E89AC: clone (clone.S:115)

The study of the corresponding code clearly shows a genuine bug introduced in sssd_client via commit 92af6f2 in May 2013.
Here are the details :
- in krb5int_authdata_verify (authdata.c:617), so krb5 code, the plugin is called :

   code = (*module->ftable->verify)(kcontext,
                                    context,
                                    module->plugin_context,
                                    *(module->request_context_pp),
                                    auth_context,
                                    key,
                                    ap_req);

- this calls sssdpac_verify (sssd_pac.c:144) and the code looks like this (I've dropped irrelevant lines and commented) :

     krb5_pac pac;   // krb5_pac is actually a pointer type
     ...
     kerr = krb5_pac_parse(kcontext, sssdctx->data.data,    // allocation of the pac pointer from input data
                           sssdctx->data.length, &pac);
     ...
     kerr = krb5_pac_verify(kcontext, pac,                  // verification of the pac content
                            req->ticket->enc_part2->times.authtime,
                            req->ticket->enc_part2->client, key, NULL);
     ...           // no reference to pac
     return 0;     // memory leak!

- I did check the code of parse and verify, and they are doing what you expect, so no hidden ref count or anything special.

So according to all this, the patch to the leak is the following :

diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c
index 1939f61..1d1fe8a 100644
--- a/src/sss_client/sssd_pac.c
+++ b/src/sss_client/sssd_pac.c
@@ -150,6 +150,10 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext,
     kerr = krb5_pac_verify(kcontext, pac,
                            req->ticket->enc_part2->times.authtime,
                            req->ticket->enc_part2->client, key, NULL);
+    // deallocate pac - fixes memory leak reported in bug ...
+    krb5_pac_free(kcontext, pac);
+    pac = NULL;
+    // check result of the verification
     if (kerr != 0) {
         /* The krb5 documentation says:
          * A checksum mismatch can occur if the PAC was copied from a

Could you confirm that it is the case ?

We reproduced the bug on RHEL6 version and reported it to Red Hat support, but latest upstream git seems affected so I decided to create this bug report.


Fields changed

owner: somebody => sbose
status: new => assigned

Thank you for the patch I verified that it fixes the memleak with valgrind. I'll send the patch to sssd-devel for completeness to make others aware of it.

master: b4c44eb

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.1
patch: 0 => 1
resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => todo

Metadata Update from @alphacc:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata