Bug#404739: Processed: reassign 404739 to gss

[Simon Josefsson]

I just realized that fencepost.gnu.org is an amd64 box, running
ubuntu.  I could reproduce the crash, with optimizations.  It crashed
on de-referencing k5 in k5->ap, in context.c.  Valgrind confirms this,
and there seems to be no prior valgrind errors.  The code is:

  rc = shishi_ap_rep_der_set (k5->ap, data + TOK_LEN, datalen - TOK_LEN);

However, k5 is only NULL in the program, not in the debugger, witness
where I add this printf before the line above:

  printf ("ptr=%x isnull=%d\n", k5, k5 == NULL ? 42 : 17);

The relevant debugger output is (complete log below):

147       printf ("ptr=%x isnull=%d\n", k5, k5 == NULL ? 42 : 17);
(gdb) p k5
$1 = (_gss_krb5_ctx_t) 0x546ed0
(gdb) n
ptr=0 isnull=42
148       rc = shishi_ap_rep_der_set (k5->ap, data + TOK_LEN, datalen - 
TOK_LEN);
(gdb) n

What becomes more weird is that if I access the ctx variable,
something like:

  printf ("fubar %x\n", ctx);
  rc = shishi_ap_rep_der_set (k5->ap, data + TOK_LEN, datalen - TOK_LEN);

The self-test succeeds, with no valgrind errors, even with
optimizations.

At this point, I began experimenting with different compilers, and
when I used mixed gcc-3.3 and gcc-4.0, I got a different crash, in
asn1.c, which prompted me to read the code, and I found a bug in
_gss_decapsulate_token(), it used a 'int' on the stack, but used it as
if it were a 'size_t' -- if I fixed that bug, the entire self test
worked fine.  The stack was obviously garbled by that bug, and that
broke the optimized code, and confused the debugger.

/Simon

Program received signal SIGSEGV, Segmentation fault.

address@hidden:~/gss-0.0.18/tests$ gdb ./krb5context
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library 
"/lib/libthread_db.so.1".

(gdb) b context.c:147
No source file named context.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (context.c:147) pending.
(gdb) r
Starting program: /srv/data/home/j/jas/gss-0.0.18/tests/krb5context
[Thread debugging using libthread_db enabled]
[New Thread 47222201031392 (LWP 19156)]
Breakpoint 2 at 0x2af2c5e242d6: file context.c, line 147.
Pending breakpoint "context.c:147" resolved
libshishi: warning: `ignore-this-warning': No such file or directory
libshishi: warning: ignore-this-warning: No such file or directory
libshishi: warning: `ignore-this-warning/shishi.conf': No such file or directory
libshishi: warning: ignore-this-warning/shishi.conf: No such file or directory

Client AP-REQ:
...

[Switching to Thread 47222201031392 (LWP 19156)]

Breakpoint 2, gss_krb5_init_sec_context (minor_status=0x7ffffffe1834, 
initiator_cred_handle=<value optimized out>,
    context_handle=0x7ffffffe17e8, target_name=0x52bb50, mech_type=<value 
optimized out>, req_flags=14, time_req=0,
    input_chan_bindings=0x0, input_token=0x7ffffffe1810, actual_mech_type=0x0, 
output_token=0x7ffffffe1800, ret_flags=0x0,
    time_rec=0x0) at context.c:147
147       printf ("ptr=%x isnull=%d\n", k5, k5 == NULL ? 42 : 17);
(gdb) p k5
$1 = (_gss_krb5_ctx_t) 0x546ed0
(gdb) n
ptr=0 isnull=42
148       rc = shishi_ap_rep_der_set (k5->ap, data + TOK_LEN, datalen - 
TOK_LEN);
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00002af2c5e24303 in gss_krb5_init_sec_context (minor_status=0x7ffffffe1834, 
initiator_cred_handle=<value optimized out>,
    context_handle=0x7ffffffe17e8, target_name=0x52bb50, mech_type=<value 
optimized out>, req_flags=14, time_req=0,
    input_chan_bindings=0x0, input_token=0x7ffffffe1810, actual_mech_type=0x0, 
output_token=0x7ffffffe1800, ret_flags=0x0,
    time_rec=0x0) at context.c:148
148       rc = shishi_ap_rep_der_set (k5->ap, data + TOK_LEN, datalen - 
TOK_LEN);
(gdb)