#6030 Heap corruption in ipapwd plugin
Closed: Fixed None Opened 7 years ago by oakham.

Hi,

The Directory Services crashes several times a day. It's installed on CentOS 7 VM :

Installed Packages
Name : ipa-server
Arch : x86_64
Version : 4.2.0

ipactl status

Directory Service: STOPPED

krb5kdc Service: RUNNING

kadmin Service: RUNNING

ipa_memcached Service: RUNNING

httpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful

Before each crash, I have these messages in /var/log/dirsrv/slapd-XXXXX/errors :

[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument]

[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed

There is a bug in ipapwd plugin which causes Directory Service crash when some users try to bind.

Please take a look to attached core file.

Best regards


Is your server configured in migration mode ?
Is there any chance to capture a core dump or make sure at least all debugging packages are instaled and a complete backtrace can be provided ?

Note that the attached file is not a core file, it is just the text output of gdb printing a backtrace, however you seem to have the wrong debug files (or missing debug files) so most of the useful debug information is missing.

If you get a good backtrace please carefully check not critical info is exposed in the data (passwords or keys) and then attach it here.

According to the log ipapwd_encrypt_encode_key failed during an operation, but ipapwd_encrypt_encode_key returned (before ipapwd_keyset_free) and the operation failed in LDAP_OPERATION_ERROR. There is no clue if the operation that triggered those logs was a bind/add/mod.

Also ipapwd_encrypt_encode_key reports EINVAL, that could occur if principal->realm.data==NULL

    [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument]
    [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed

Then there was a BIND that updated some kerberos keys. ipa_krb5_generate_key_data was successful but likely keys were referring to invalid pointers. So it is looking like the crashing BIND was victim of a heap corruption but did not trigger it.

If ipa_krb5_generate_key_data fails, the value of kset->num_keys and kset->keys is not initialize and there is a possibility that ipapwd_keyset_free will free random pointers.

If we manage to reproduce the crash, it would worth testing the attached patch

master:

  • b04f617 Heap corruption in ipapwd plugin

Metadata Update from @oakham:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.4.1

7 years ago

Login to comment on this ticket.

Metadata