Add proposed fix for a double-free in gss clients

- gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, #1117963)
This commit is contained in:
Nalin Dahyabhai 2014-07-16 15:14:38 -04:00
parent 79897b3c5d
commit 9594be4f3a
2 changed files with 56 additions and 1 deletions

View File

@ -0,0 +1,49 @@
From: David Woodhouse <David.Woodhouse@intel.com>
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements[],
which should be considered constant for the duration of the SPNEGO
context.
So don't free it.
This led to the obvious crashes in the allocator, and also to strange
behaviour with Firefox failing to fall back to alternative mechanisms
when it should have done.
https://bugzilla.redhat.com/show_bug.cgi?id=1117963
==31436== Invalid free() / delete / delete[] / realloc()
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436== by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
==31436== Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31436== by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
---
src/lib/gssapi/spnego/spnego_mech.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 173c6d2..8f829d8 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
OM_uint32 tmpmin;
size_t i;
- generic_gss_release_oid(&tmpmin, &sc->internal_mech);
gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
GSS_C_NO_BUFFER);
--
1.9.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@intel.com Intel Corporation

View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.12.1 Version: 1.12.1
Release: 11%{?dist} Release: 12%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -106,6 +106,7 @@ Patch144: krb5-1.12-tcl86.patch
Patch145: krb5-master-mechd.patch Patch145: krb5-master-mechd.patch
Patch146: krb5-1.12-CVE-2014-4341_4342.patch Patch146: krb5-1.12-CVE-2014-4341_4342.patch
Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
Patch148: krb5-gssapi-mech-doublefree.patch
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@ -360,6 +361,7 @@ ln -s NOTICE LICENSE
%patch145 -p1 -b .master-mechd %patch145 -p1 -b .master-mechd
%patch146 -p1 -b .CVE-2014-4341_4342 %patch146 -p1 -b .CVE-2014-4341_4342
%patch147 -p1 -b .CVE-2014-4341_4342 %patch147 -p1 -b .CVE-2014-4341_4342
%patch148 -p1 -b .gssapi-mech-doublefree
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -1036,6 +1038,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
- gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, #1117963)
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11 * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
- fix license handling - fix license handling