[Pkg-samba-maint] Bug#941493: /usr/bin/smbclient: smbclient segfaults when used with KCM kerberos credentials cache

Sam Morris sam at robots.org.uk
Tue Oct 1 15:22:12 BST 2019 

Package: smbclient
Version: 2:4.10.8+dfsg-1
Severity: normal
File: /usr/bin/smbclient

It appears that smbclient can't make use of the KCM kerberos credentials
cache (as implemented by sssd-kcm). It attempts to fall back to asking
for a password, but then segfaults:

	$ echo $KRB5CCNAME
	KCM:

	$ smbclient '//server.example.com/documentation$'
	Unable to initialize messaging context
	Enter sam.morris at example.com's password: 
	Failed to resolve credential cache 'KCM:'! (Unknown credential cache type)
	free(): double free detected in tcache 2
	Aborted (core dumped)

Here's the backtrace:

	#0  0x00007ffff7484081 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
	#1  0x00007ffff746f535 in __GI_abort () at abort.c:79
	#2  0x00007ffff74c5db8 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff75d0aae "%s\n") at ../sysdeps/posix/libc_fatal.c:181
	#3  0x00007ffff74cc48a in malloc_printerr (str=str at entry=0x7ffff75d2768 "free(): double free detected in tcache 2") at malloc.c:5361
	#4  0x00007ffff74cde4d in _int_free (av=0x7ffff7603c40 <main_arena>, p=0x555555590b60, have_lock=<optimized out>) at malloc.c:4215
	#5  0x00007ffff6ccc925 in krb5_free_context (context=0x5555555cd0d0) at ../../source4/heimdal/lib/krb5/context.c:595
	#6  0x00007ffff729a3bd in gse_context_destructor (ptr=<optimized out>) at ../../source3/librpc/crypto/gse.c:84
	#7  0x00007ffff773413e in  () at /usr/lib/x86_64-linux-gnu/libtalloc.so.2
	#8  0x00007ffff729b05c in gse_context_init (mem_ctx=mem_ctx at entry=0x5555555cd040, do_sign=<optimized out>, do_seal=<optimized out>, add_gss_c_flags=<optimized out>, _gse_ctx=_gse_ctx at entry=0x7fffffffce30, ccache_name=<optimized out>) at ../../source3/librpc/crypto/gse.c:241
	#9  0x00007ffff729b223 in gse_init_client (ccache_name=0x0, realm=<optimized out>, username=<optimized out>, password=<optimized out>, _gse_ctx=<synthetic pointer>, add_gss_c_flags=<optimized out>, service=0x5555555cb060 "cifs", server=0x5555555caaf0 "server.example.com", do_seal=<optimized out>, do_sign=<optimized out>, mem_ctx=0x5555555cd040) at ../../source3/librpc/crypto/gse.c:268
	#10 0x00007ffff729b223 in gensec_gse_client_start (gensec_security=0x5555555cd040) at ../../source3/librpc/crypto/gse.c:786
	#11 0x00007ffff71efef3 in gensec_start_mech (gensec_security=0x5555555cd040) at ../../auth/gensec/gensec_start.c:743
	#12 0x00007ffff71efef3 in gensec_start_mech (gensec_security=0x5555555cd040) at ../../auth/gensec/gensec_start.c:704
	#13 0x00007ffff71f39ce in gensec_spnego_client_negTokenInit_step (gensec_security=0x5555555c1e20, spnego_state=0x5555555c4750, n=0x5555555cc800, spnego_in=<optimized out>, last_status=..., in_mem_ctx=<optimized out>, in_next=0x5555555cc758) at ../../auth/gensec/spnego.c:624
	#14 0x00007ffff71f3f99 in gensec_spnego_client_negTokenInit_start (gensec_security=0x5555555c1e20, spnego_state=0x5555555c4750, n=0x5555555cc800, spnego_in=0x5555555cc6c8, in_mem_ctx=0x5555555cc6a0, in_next=0x5555555cc758) at ../../auth/gensec/spnego.c:528
	#15 0x00007ffff71f4ce4 in gensec_spnego_update_pre (req=0x5555555cc4f0) at ../../auth/gensec/spnego.c:1913
	#16 0x00007ffff71f4ce4 in gensec_spnego_update_send (mem_ctx=<optimized out>, ev=0x5555555a97f0, gensec_security=<optimized out>, in=...) at ../../auth/gensec/spnego.c:1711
	#17 0x00007ffff71eee58 in gensec_update_send (mem_ctx=<optimized out>, ev=0x5555555a97f0, gensec_security=0x5555555c1e20, in=...) at ../../auth/gensec/gensec.c:449
	#18 0x00007ffff7a7e986 in cli_session_setup_gensec_local_next (req=0x5555555c6c60) at ../../source3/libsmb/cliconnect.c:1016
	#19 0x00007ffff7a803e0 in cli_session_setup_gensec_send (target_service=0x7ffff7ab7041 "cifs", target_hostname=0x5555555c0d10 "server.example.com", creds=0x5555555abd70, cli=0x5555555abd70, ev=0x5555555a97f0, mem_ctx=<optimized out>) at ../../source3/libsmb/cliconnect.c:996
	#20 0x00007ffff7a803e0 in cli_session_setup_spnego_send (creds=0x5555555abd70, cli=0x5555555abd70, ev=0x5555555a97f0, mem_ctx=<optimized out>) at ../../source3/libsmb/cliconnect.c:1308
	#21 0x00007ffff7a803e0 in cli_session_setup_creds_send (mem_ctx=mem_ctx at entry=0x5555555a97f0, ev=ev at entry=0x5555555a97f0, cli=cli at entry=0x5555555abd70, creds=creds at entry=0x5555555b2130) at ../../source3/libsmb/cliconnect.c:1467
	#22 0x00007ffff7a80b6d in cli_session_setup_creds (cli=0x5555555abd70, creds=creds at entry=0x5555555b2130) at ../../source3/libsmb/cliconnect.c:1805
	#23 0x00007ffff7a9c517 in do_connect (ctx=ctx at entry=0x5555555a8c70, server=<optimized out>, server at entry=0x0, share=share at entry=0x5555555be0f0 "\\\\server.example.com\\documentation$", auth_info=0x5555555b20a0, force_encrypt=<optimized out>, max_protocol=max_protocol at entry=13, port=0, name_type=32, pcli=0x7fffffffd1d0) at ../../source3/libsmb/clidfs.c:236
	#24 0x00007ffff7a9ca68 in cli_cm_connect (ctx=ctx at entry=0x5555555a8c70, referring_cli=referring_cli at entry=0x0, server=server at entry=0x0, share=share at entry=0x5555555be0f0 "\\\\server.example.com\\documentation$", auth_info=<optimized out>, force_encrypt=force_encrypt at entry=false, max_protocol=13, port=0, name_type=32, pcli=0x7fffffffd230) at ../../source3/libsmb/clidfs.c:339
	#25 0x00007ffff7a9cbef in cli_cm_open (ctx=0x5555555a8c70, referring_cli=0x0, server=0x0, share=0x5555555be0f0 "\\\\server.example.com\\documentation$", auth_info=<optimized out>, force_encrypt=<optimized out>, max_protocol=13, port=0, name_type=32, pcli=0x55555557b398 <cli>) at ../../source3/libsmb/clidfs.c:441
	#26 0x000055555555e1c8 in main ()

-- System Information:
Debian Release: 10.1
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages smbclient depends on:
ii  dpkg          1.19.7
ii  libarchive13  3.3.3-4
ii  libbsd0       0.9.1-2
ii  libc6         2.29-1
ii  libpopt0      1.16-12
ii  libreadline8  8.0-3
ii  libsmbclient  2:4.10.8+dfsg-1
ii  libtalloc2    2.3.0-2
ii  libtevent0    0.10.1-3
ii  libwbclient0  2:4.10.8+dfsg-1
ii  samba-common  2:4.10.8+dfsg-1
ii  samba-libs    2:4.10.8+dfsg-1

smbclient recommends no packages.

Versions of packages smbclient suggests:
ii  cifs-utils       2:6.8-2
pn  heimdal-clients  <none>

-- no debconf information

More information about the Pkg-samba-maint mailing list