Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673066 - www-apache/mod_auth_kerb-5.4-r2: Segmentation fault / Use after free in authenticate_user_krb5pwd()
Summary: www-apache/mod_auth_kerb-5.4-r2: Segmentation fault / Use after free in authe...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2018-12-13 10:01 UTC by Johan Ymerson
Modified: 2021-03-02 17:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for use after free in authenticate_user_krb5pwd() (mod_auth_kerb-krb5_kt_close.patch,702 bytes, patch)
2018-12-13 10:01 UTC, Johan Ymerson
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Ymerson 2018-12-13 10:01:05 UTC
Created attachment 557710 [details, diff]
Patch for use after free in authenticate_user_krb5pwd()

In verify_krb5_user() krb5_kt_close() is called under certain conditions, but krb5_kt_close() is also called from the top level function authenticate_user_krb5pwd() after calling verify_krb5_user().
This leads to a use after free, since kbr5_kt_close() free up memory pointed to in the keytab struct and the next call to krb5_kt_close() will dereference pointers in that (now freed) memory.
This triggers a segmentation fault with recent versions of MIT Kerberos.

Patch to fix this attached.
Comment 1 Joakim Tjernlund 2018-12-14 08:14:45 UTC
Michal, I see you are maintaining the Gentoo patch queue, perhaps you can add this one too?
Comment 2 Joakim Tjernlund 2019-01-24 16:02:32 UTC
ping?
Comment 3 Joakim Tjernlund 2020-04-09 20:17:00 UTC
ping?
Comment 4 Joakim Tjernlund 2020-07-19 22:23:03 UTC
Now this module does not work with app-crypt/mit-krb5-1.18.2-r1:
apache2: Syntax error on line 166 of /etc/apache2/httpd.conf: Syntax error on line 13 of /etc/apache2/vhosts.d/00devsrv.conf: Cannot load modules/mod_auth_kerb.so into server: /usr/lib64/apache2/modules/mod_auth_kerb.so: undefined symbol: krb5_rc_resolve_full
 * ERROR: apache2 failed to stop

I guess it is time to switch mod_auth_gssapi
Comment 5 Joakim Tjernlund 2020-08-12 16:05:51 UTC
(In reply to Joakim Tjernlund from comment #4)
> Now this module does not work with app-crypt/mit-krb5-1.18.2-r1:
> apache2: Syntax error on line 166 of /etc/apache2/httpd.conf: Syntax error
> on line 13 of /etc/apache2/vhosts.d/00devsrv.conf: Cannot load
> modules/mod_auth_kerb.so into server:
> /usr/lib64/apache2/modules/mod_auth_kerb.so: undefined symbol:
> krb5_rc_resolve_full
>  * ERROR: apache2 failed to stop
> 
> I guess it is time to switch mod_auth_gssapi

This makes it load at least:
-- ./src/mod_auth_kerb.c.org	2020-08-10 17:36:11.563228638 +0200
+++ ./src/mod_auth_kerb.c	2020-08-10 17:53:14.641734908 +0200
@@ -2070,12 +2070,11 @@
    ret = krb5_init_context(&context);
    if (ret)
       return 0;
-
-   ret = krb5_rc_resolve_full(context, &id, "none:");
+extern krb5_error_code
+    k5_rc_resolve(krb5_context context, const char *name, krb5_rcache *rc_out);
+   ret = k5_rc_resolve(context, "none:", &id);
    found = (ret == 0);
 
-   if (ret == 0)
-      krb5_rc_destroy(context, id);
    krb5_free_context(context);
 
    return found;
Comment 6 Joakim Tjernlund 2021-03-02 17:46:08 UTC
This became in the end:

--- ./src/mod_auth_kerb.c.org	2020-08-13 17:30:15.901691505 +0200
+++ ./src/mod_auth_kerb.c	2020-08-13 17:35:00.069621299 +0200
@@ -2062,6 +2062,11 @@
 static int
 have_rcache_type(const char *type)
 {
+  /* rcache "none" is always present in modern mit-krb5
+   * but krb5_rc_resolve_full() has been removed in 1.18.x
+   * so hardcode to true */
+   return 1;
+#if 0
    krb5_error_code ret;
    krb5_context context;
    krb5_rcache id = NULL;
@@ -2079,6 +2084,7 @@
    krb5_free_context(context);
 
    return found;
+#endif
 }
 
 /***************************************************************************