heimdal: kinit segfaults

[lpsinger (Leo Singer)]

On a Mountain Lion system, the kinit provided by heimdal @1.3.3_1 kinit segfaults:

(Replace -----@----.--- with your own principal)

$ /opt/local/libexec/heimdal/bin/kinit -----@----.---
-----@----.---'s Password: ******
Segmentation fault: 11

Running this under gdb, I see that the program crashes in krb5_cc_destroy.

If, however, you specify a particular credentials cache, it does not crash:

$ /opt/local/libexec/heimdal/bin/kinit -c ~/foobar -----@----.---
-----@----.---'s Password: ******

(exits normally)

[raimue (Rainer Müller)]

I did not test it, but the heimdal is multiple releases behind upstream and this might have been fixed already. There is also ticket #31786 filed for this already.

[raimue (Rainer Müller)]

Cc Me!

[raimue (Rainer Müller)]

I submitted an update to 1.5.2 in #31786. However, this update does not fix the segmentation fault.

Backtrace from gdb:

(gdb) r
Starting program: /opt/local/libexec/heimdal/bin/kinit 
Reading symbols for shared libraries ++++++++++++++++........................................ done
Reading symbols for shared libraries ........................... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
-----@----.---'s Password: 

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00007fff8fe280d4 in krb5_cc_destroy ()
(gdb) bt
#0  0x00007fff8fe280d4 in krb5_cc_destroy ()
#1  0x00007fff9615b22f in ccache_destroy ()
#2  0x0000000100011232 in acc_destroy ()
#3  0x00000001000121d1 in acc_move ()
#4  0x0000000100017a37 in krb5_cc_move ()
#5  0x0000000100002aca in get_new_tickets ()
#6  0x0000000100001c16 in main ()
(gdb) 

[raimue (Rainer Müller)]

I rebuild heimdal with debug symbols enabled (configure.cflags-append -g -O0) and here is a backtrace from this run:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00007fff8fe280d4 in krb5_cc_destroy ()
(gdb) bt
#0  0x00007fff8fe280d4 in krb5_cc_destroy ()
#1  0x00007fff9615b22f in ccache_destroy ()
#2  0x00000001000164ae in acc_destroy (context=0x100607430, id=0x100627170) at acache.c:665
#3  0x000000010001713d in acc_move (context=0x100607430, from=0x100627170, to=0x100611b00) at acache.c:1008
#4  0x0000000100020f10 in krb5_cc_move (context=0x100607430, from=0x100627170, to=0x100611b00) at cache.c:1207
#5  0x0000000100003886 in get_new_tickets (context=0x100607430, principal=0x100611ad0, ccache=0x100611b00, ticket_life=0, interactive=1) at kinit.c:616
#6  0x000000010000212c in main (argc=0, argv=0x7fff5fbff488) at kinit.c:882
(gdb) info address krb5_cc_destroy 
Symbol "krb5_cc_destroy" is a function at address 0x100020060.
(gdb) info symbol krb5_cc_destroy 
krb5_cc_destroy in section LC_SEGMENT.__TEXT.__text of /opt/local/libexec/heimdal/lib/libkrb5.26.dylib
(gdb) info symbol ccache_destroy 
ccache_destroy in section LC_SEGMENT.__TEXT.__text of /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos
(gdb) info address ccache_destroy 
Symbol "ccache_destroy" is at 0x7fff9615b1e5 in a file compiled without debugging.

So the problem appears to be that the Kerberos.framework gets called here for the ccache_destroy symbol, which then calls krb5_cc_destroy from the Kerberos.framework as well. This leads to a segmentation fault, most probably because the opaque data types do not match.

[raimue (Rainer Müller)]

Digging a little bit further, it seems that the culprit is the initialization function init_ccapi in heimdal-1.5.2/lib/krb5/acache.c:146. This source files hardcodes the framework path /System/Library/Frameworks/Kerberos.framework/Kerberos and uses the dyld function dlsym() to find some symbols.

Also I could reproduce the segmentation fault with the binaries for Heimdal 1.5.2 and Heimdal 1.5.3 offered as disk images ​from upstream (they install into the prefix /usr/heimdal).

[lpsinger (Leo Singer)]

Replying to raimue@…:

Digging a little bit further, it seems that the culprit is the initialization function init_ccapi in heimdal-1.5.2/lib/krb5/acache.c:146. This source files hardcodes the framework path /System/Library/Frameworks/Kerberos.framework/Kerberos and uses the dyld function dlsym() to find some symbols.

Also I could reproduce the segmentation fault with the binaries for Heimdal 1.5.2 and Heimdal 1.5.3 offered as disk images ​from upstream (they install into the prefix /usr/heimdal).

Which library is it actually trying to link against here, and which port would provide it? In the other clauses of this #if/#else block, on other platforms it will look for libkrb5_cc. But port contents heimdal does not list any file called libkrb5_cc.*.

[cooljeanius (Eric Gallager)]

Cc Me!

[mmpestorich (Mike M Pestorich)]

Cc Me!

[lpsinger (Leo Singer)]

It seems that this has been fixed by #31786.