bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 10:40 UTC
[Bug 1601] New: Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Summary: Memory leak caused by forwarded GSSAPI credential store Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: miguel.sanders at arcelormittal.com CC: miguel.sanders at arcelormittal.com Created an attachment (id=1641) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1641) Fix for memory leak While debugging a GSSAPI memory allocation problem not related to OpenSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI credentials resulting in a growing process segment for each connection that uses GSSAPI credentials forwarding. What happens is the following: In the privileged parent, we are calling ssh_gssapi_storecreds() which itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds() makes some memory allocations in order to save the credentials store for the gssapi client. +167 client->store.filename xstrdup(krb5_cc_get_name(krb_context, ccache)); +168 client->store.envvar = "KRB5CCNAME"; +169 len = strlen(client->store.filename) + 6; +170 client->store.envval = xmalloc(len); +171 snprintf(client->store.envval, len, "FILE:%s", client->store.filename); Those memory allocations are never freed. Moreover, since those memory allocations are done in the privileged parent (which is a finite-state machine and never returns) before forking the unprivileged child, the memory leak gets doubled for each connection that uses GSSAPI credential forwarding. A solution would be the following: 1) Migrate the ssh_gssapi_storecreds() call to the unprivileged child 2) Create a ssh_gssapi_free_store() call in gss-serv.c which frees the memory allocations. At first I was thinking of integrating this in the ssh_gssapi_cleanup_creds() call but freeing the memory is mandatory while the cleanup of credentials is the user's choice. 3) Integrate ssh_gssapi_free_store() call in the do_cleanup() call, which is located in session.c. I added a patch which solved this issue. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 11:52 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Simon Wilkinson <simon at sxw.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk --- Comment #1 from Simon Wilkinson <simon at sxw.org.uk> 2009-05-23 21:52:04 --- As noted on the mailing this, this fix is wrong ... GSSAPI credentials need to be stored before the PAM stack is invoked (this also means that the credentials need to be stored in the process which invokes pam_setcred, and not in the unprivileged child). Also, credentials need to be stored whether the user is running privsep or not - this change moves credential storage to a privsep only code path. An alternative fix, that doesn't move the location of the storecreds() call, is going to be required. One option would be to dispose of these structures in the parent as soon as the child is forked (if we're running privsep), so removing the leak in the parent, and tidying up the leak in the child in the manner in the attachment. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 13:01 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 --- Comment #2 from Miguel Sanders <miguel.sanders at arcelormittal.com> 2009-05-23 23:01:01 --- Sorry for the mistake. I made some modifications which now dispose the store after the fork operation in the parent. I also added a modification so that the memory is freed even if we're not running privsep. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 13:01 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 --- Comment #3 from Miguel Sanders <miguel.sanders at arcelormittal.com> 2009-05-23 23:01:58 --- Created an attachment (id=1642) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1642) F -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 13:03 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Miguel Sanders <miguel.sanders at arcelormittal.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1641|0 |1 is obsolete| | Attachment #1642|0 |1 is obsolete| | --- Comment #4 from Miguel Sanders <miguel.sanders at arcelormittal.com> 2009-05-23 23:03:39 --- Created an attachment (id=1643) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1643) Fix for memory leak (2) Corrected a few mistakes pointed out by Simon -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 13:04 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Simon Wilkinson <simon at sxw.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1642|application/octet-stream |text/plain mime type| | Attachment #1642|0 |1 is patch| | Attachment #1642|1 |0 is obsolete| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-May-23 13:40 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Miguel Sanders <miguel.sanders at arcelormittal.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1642|0 |1 is obsolete| | Attachment #1643|0 |1 is obsolete| | --- Comment #5 from Miguel Sanders <miguel.sanders at arcelormittal.com> 2009-05-23 23:40:45 --- Created an attachment (id=1644) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1644) Fix for memory leak (3) ssh_gssapi_free_store() would get called twice in case of privsep. Once from do_cleanup() and once from main(). This fixes this. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Feb-06 11:17 UTC
[Bug 1601] Memory leak caused by forwarded GSSAPI credential store
https://bugzilla.mindrot.org/show_bug.cgi?id=1601 --- Comment #6 from Miguel Sanders <miguel.sanders at arcelormittal.com> 2010-02-06 22:17:09 EST --- Hi Simon Have you already had a chance to have a look at this? Thanks! Miguel -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.