Crash in pam_passkey_auth_done

[abbra]

I am still stuck with sssd-2.9.1-3.fc39 and I get once in a while this crash:

                Stack trace of thread 14178:
                #0  0x00007f856a090824 __pthread_kill_implementation (libc.so.6 + 0x90824)
                #1  0x00007f856a03e8ee raise (libc.so.6 + 0x3e8ee)
                #2  0x00007f856a0268ff abort (libc.so.6 + 0x268ff)
                #3  0x00007f856a3d291c talloc_check_name.cold (libtalloc.so.2 + 0x391c)
                #4  0x0000560f422a9a4c pam_passkey_auth_done.lto_priv.0 (sssd_pam + 0x18a4c)
                #5  0x00007f856a55d6c4 child_invoke_callback (libsss_child.so + 0x26c4)
                #6  0x00007f856a3e7bf8 tevent_common_invoke_immediate_handler (libtevent.so.0 + 0xabf8)
                #7  0x00007f856a3e7c22 tevent_common_loop_immediate (libtevent.so.0 + 0xac22)
                #8  0x00007f856a3eb5e2 epoll_event_loop_once (libtevent.so.0 + 0xe5e2)
                #9  0x00007f856a3e3764 std_event_loop_once (libtevent.so.0 + 0x6764)
                #10 0x00007f856a3e5d4b _tevent_loop_once (libtevent.so.0 + 0x8d4b)
                #11 0x00007f856a3e5e6b tevent_common_loop_wait (libtevent.so.0 + 0x8e6b)
                #12 0x00007f856a3e37e4 std_event_loop_wait (libtevent.so.0 + 0x67e4)
                #13 0x00007f856a64aa4f server_loop (libsss_util.so + 0x50a4f)
                #14 0x0000560f4229ea02 main (sssd_pam + 0xda02)
                #15 0x00007f856a02814a __libc_start_call_main (libc.so.6 + 0x2814a)
                #16 0x00007f856a02820b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2820b)
                #17 0x0000560f4229f1e5 _start (sssd_pam + 0xe1e5)
                ELF object binary architecture: AMD x86-64

I cannot get more details out of it, sorry.

[abbra]

Found logs:

(2023-08-19 12:11:45): [pam] [pam_forwarder_passkey_cb] (0x0040): [CID#6] PAM passkey auth failed [110]: Connection timed out
   *  ... skipping repetitive backtrace ...
(2023-08-19 12:11:45): [pam] [child_sig_handler] (0x0020): [CID#6] child [15110] failed with status [1].
   *  ... skipping repetitive backtrace ...
(2023-08-19 12:11:45): [pam] [_sss_talloc_log_fn] (0x0010): [CID#6] talloc: access after free error - first free may be at src/responder/pam/pamsrv_passkey.c:434

********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2023-08-19 12:11:45): [pam] [_sss_talloc_log_fn] (0x0010): [CID#6] talloc: access after free error - first free may be at src/responder/pam/pamsrv_passkey.c:434

********************** BACKTRACE DUMP ENDS HERE *********************************

(2023-08-19 12:11:45): [pam] [_sss_talloc_log_fn] (0x0010): [CID#6] Bad talloc magic value - access after free

[abbra]

It looks like it is freeing the request:

void pam_forwarder_passkey_cb(struct tevent_req *req)
{
    struct pam_auth_req *preq = tevent_req_callback_data(req,
                                                         struct pam_auth_req);
    errno_t ret = EOK;
    int child_status;

    ret = pam_passkey_auth_recv(req, &child_status);
>>>>>    talloc_free(req);
    if (ret != EOK) {
        DEBUG(SSSDBG_OP_FAILURE, "PAM passkey auth failed [%d]: %s\n",
                                 ret, sss_strerror(ret));
        goto done;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "passkey child finished with status [%d]\n", child_status);
    preq->pd->pam_status = PAM_SUCCESS;
    pam_reply(preq);

    return;

done:
    pam_check_user_done(preq, ret);
}

[justin-stephenson]

Thank you for the report, I reproduced it and will investigate a fix.

[justin-stephenson]

#6893

[pbrezina]

Pushed PR: #6893

• master
  • b516f1e - Passkey: Add child timeout handler
• sssd-2-9
  • e71a353 - Passkey: Add child timeout handler