Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32258

Backport of defcred leak in krb5 gss_inquire_cred() to RHEL 8 [rhel-8.10]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-8.10.z
    • rhel-8.8.0.z
    • krb5
    • krb5-1.18.2-28.el8_10
    • None
    • None
    • ZStream
    • 4
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • 2024-Q2-Bravo-S1, 2024-Q2-Bravo-S2, 2024-Q2-Bravo-S4, 2024-Q2-Bravo-S6
    • Approved Blocker
    • Unspecified Release Note Type - Unknown
    • None

      We did a review of this code path. In my opinion it is a pure memory

      leak. The flow is krb5_gss_inquire_cred() -> kg_get_defcred() ->
      krb5_gss_acquire_cred() with NULL handle, for GSS_C_INITIATE and no
      specific parameters -> accept_cred_context(). This means it would only
      use defaults from existing ccache and may be a default client keytab if
      the default ccache was not initialized yet. As a result, it is the same
      information an application already posseses access to.

      Upstream krb5 1.18.4 has a minimal variant of the same fix:
      ----------------------------------------------------------------------------
      commit b92be484630b38e26f5ee4bd67973fbd7627009c
      Author: Greg Hudson <ghudson@mit.edu>
      Date:   Wed Jul 21 13:44:30 2021 -0400   
      {{
           Fix defcred leak in krb5 gss_inquire_cred()

           Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory}}
           management of krb5_gss_inquire_cred(), introducing defcred to act as
           an owner pointer when the function must acquire a default credential.
           The commit neglected to update the code to release the default cred
           along the successful path.  The old code does not trigger because
           cred_handle is now reassigned, so the default credential is leaked.

           Reported by Pavel Březina.

           (a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)

           ticket: 9016
           version_fixed: 1.18.4

      diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
      index a8f254110..cd8384d08 100644
      --- a/src/lib/gssapi/krb5/inq_cred.c
      +++ b/src/lib/gssapi/krb5/inq_cred.c
      @@ -197,9 +197,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
                mechs = GSS_C_NO_OID_SET;

      {

      {      }

      }}

      -    if (cred_handle == GSS_C_NO_CREDENTIAL)
      -        krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
      -
      +    krb5_gss_release_cred(minor_status, &defcred);
            krb5_free_context(context);
            *minor_status = 0;
            return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
      ----------------------------------------------------------------------------

              jrische@redhat.com Julien Rische
              seanmerrow Sean Merrow
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: