Add proposed fix for a double-free in gss clients

- gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, #1117963)
2014-07-16 15:14:38 -04:00 · 2014-07-16 15:14:38 -04:00 · 9594be4f3a
commit 9594be4f3a
parent 79897b3c5d
2 changed files with 56 additions and 1 deletions
--- a/krb5-gssapi-mech-doublefree.patch
+++ b/krb5-gssapi-mech-doublefree.patch
@ -0,0 +1,49 @@
+From: David Woodhouse <David.Woodhouse@intel.com>
+
+In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
+pointer sc->internal_mech became an alias into sc->mech_set->elements[],
+which should be considered constant for the duration of the SPNEGO
+context.
+
+So don't free it.
+
+This led to the obvious crashes in the allocator, and also to strange
+behaviour with Firefox failing to fall back to alternative mechanisms
+when it should have done.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1117963
+
+==31436== Invalid free() / delete / delete[] / realloc()
+==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==31436==    by 0x3AE900D6B9: generic_gss_release_oid_set (gssapi_alloc.h:93)
+==31436==    by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895)
+==31436==    by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164)
+==31436==    by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90)
+==31436==  Address 0x4fb5510 is 0 bytes inside a block of size 80 free'd
+==31436==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==31436==    by 0x3AE900C88E: generic_gss_release_oid (oid_ops.c:103)
+==31436==    by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792)
+==31436==    by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210)
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 173c6d2..8f829d8 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -818,7 +818,6 @@ init_ctx_reselect(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc,
+ 	OM_uint32 tmpmin;
+ 	size_t i;
+ 
+-	generic_gss_release_oid(&tmpmin, &sc->internal_mech);
+ 	gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+ 			       GSS_C_NO_BUFFER);
+ 
+-- 
+1.9.3
+
+
+-- 
+David Woodhouse                            Open Source Technology Centre
+David.Woodhouse@intel.com                              Intel Corporation
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -106,6 +106,7 @@ Patch144: krb5-1.12-tcl86.patch
 Patch145: krb5-master-mechd.patch
 Patch146: krb5-1.12-CVE-2014-4341_4342.patch
 Patch147: krb5-1.12-CVE-2014-4341_4342-tests.patch
+Patch148: krb5-gssapi-mech-doublefree.patch
 Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
 Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
 Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@ -360,6 +361,7 @@ ln -s NOTICE LICENSE
 %patch145 -p1 -b .master-mechd
 %patch146 -p1 -b .CVE-2014-4341_4342
 %patch147 -p1 -b .CVE-2014-4341_4342
+%patch148 -p1 -b .gssapi-mech-doublefree

 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -1036,6 +1038,10 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-12
+- gssapi: pull in proposed fix for a double free in initiators (David
+  Woodhouse, #1117963)
+
 * Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.12.1-11
 - fix license handling