debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02221
[Bug 2113906] Re: Regression: After LP2099917 cifs.upcall leaks memory on error message if service ticket doesn't exist
Performing verification for jammy.
I installed cifs-utils 2:6.14-1ubuntu0.2 from jammy -updates.
I followed the testcase and installed valgrind and moved the wrapper script
into place:
ubuntu@jammy-dc:~$ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin
ubuntu@jammy-dc:~$ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall
ubuntu@jammy-dc:~$ kdestroy
kdestroy: No credentials cache found while destroying cache
ubuntu@jammy-dc:~$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
ubuntu@jammy-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
ubuntu@jammy-dc:~$ cat valgrind.log
==1618== Memcheck, a memory error detector
==1618== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1618== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1618== Command: /usr/sbin/cifs.upcall.bin 403655015
==1618==
==1619==
==1619== HEAP SUMMARY:
==1619== in use at exit: 129 bytes in 1 blocks
==1619== total heap usage: 33 allocs, 32 frees, 83,550 bytes allocated
==1619==
==1619== LEAK SUMMARY:
==1619== definitely lost: 0 bytes in 0 blocks
==1619== indirectly lost: 0 bytes in 0 blocks
==1619== possibly lost: 0 bytes in 0 blocks
==1619== still reachable: 129 bytes in 1 blocks
==1619== suppressed: 0 bytes in 0 blocks
==1619== Rerun with --leak-check=full to see details of leaked memory
==1619==
==1619== For lists of detected and suppressed errors, rerun with: -s
==1619== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1618==
==1618== HEAP SUMMARY:
==1618== in use at exit: 3,369 bytes in 9 blocks
==1618== total heap usage: 537 allocs, 528 frees, 368,178 bytes allocated
==1618==
==1618== LEAK SUMMARY:
==1618== definitely lost: 56 bytes in 1 blocks
==1618== indirectly lost: 0 bytes in 0 blocks
==1618== possibly lost: 0 bytes in 0 blocks
==1618== still reachable: 3,313 bytes in 8 blocks
==1618== suppressed: 0 bytes in 0 blocks
==1618== Rerun with --leak-check=full to see details of leaked memory
==1618==
==1618== For lists of detected and suppressed errors, rerun with: -s
==1618== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1618== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1618-by-???-on-???
==1618== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1618-by-???-on-???
==1618== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-1618-by-???-on-???
We leaked 56 bytes of memory.
I then enabled -security-proposed by this ppa:
https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs-
utils&field.status_filter=published&field.series_filter=
I installed cifs-utils 2:6.14-1ubuntu0.3.
I then again moved the valgrind wrapper script into place:
ubuntu@jammy-dc:~$ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin
ubuntu@jammy-dc:~$ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall
ubuntu@jammy-dc:~$ kdestroy
kdestroy: No credentials cache found while destroying cache
ubuntu@jammy-dc:~$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
ubuntu@jammy-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
ubuntu@jammy-dc:~$ cat valgrind.log
==2334== Memcheck, a memory error detector
==2334== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2334== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==2334== Command: /usr/sbin/cifs.upcall.bin 520370035
==2334==
==2335==
==2335== HEAP SUMMARY:
==2335== in use at exit: 129 bytes in 1 blocks
==2335== total heap usage: 33 allocs, 32 frees, 83,550 bytes allocated
==2335==
==2335== LEAK SUMMARY:
==2335== definitely lost: 0 bytes in 0 blocks
==2335== indirectly lost: 0 bytes in 0 blocks
==2335== possibly lost: 0 bytes in 0 blocks
==2335== still reachable: 129 bytes in 1 blocks
==2335== suppressed: 0 bytes in 0 blocks
==2335== Rerun with --leak-check=full to see details of leaked memory
==2335==
==2335== For lists of detected and suppressed errors, rerun with: -s
==2335== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==2334==
==2334== HEAP SUMMARY:
==2334== in use at exit: 3,313 bytes in 8 blocks
==2334== total heap usage: 538 allocs, 530 frees, 372,293 bytes allocated
==2334==
==2334== LEAK SUMMARY:
==2334== definitely lost: 0 bytes in 0 blocks
==2334== indirectly lost: 0 bytes in 0 blocks
==2334== possibly lost: 0 bytes in 0 blocks
==2334== still reachable: 3,313 bytes in 8 blocks
==2334== suppressed: 0 bytes in 0 blocks
==2334== Rerun with --leak-check=full to see details of leaked memory
==2334==
==2334== For lists of detected and suppressed errors, rerun with: -s
==2334== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==2334== could not unlink /tmp/vgdb-pipe-from-vgdb-to-2334-by-???-on-???
==2334== could not unlink /tmp/vgdb-pipe-to-vgdb-from-2334-by-???-on-???
==2334== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-2334-by-???-on-???
This time we don't leak any memory.
Now I am just running through the testcase of bug 2099917:
root@jammy-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 39 days on Fri Jul 25 02:42:43 2025
root@jammy-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 02:03:14 06/16/25 12:03:14 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 02:03:11
root@jammy-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@jammy-dc:/home/ubuntu# umount /mnt/testshare1
root@jammy-dc:/home/ubuntu# git clone https://git.nullroute.lt/hacks/python-krb5ccparse.git
Cloning into 'python-krb5ccparse'...
remote: Enumerating objects: 59, done.
remote: Counting objects: 100% (59/59), done.
remote: Compressing objects: 100% (59/59), done.
remote: Total 59 (delta 28), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (59/59), 11.55 KiB | 985.00 KiB/s, done.
Resolving deltas: 100% (28/28), done.
root@jammy-dc:/home/ubuntu# cd python-krb5ccparse/
root@jammy-dc:/home/ubuntu/python-krb5ccparse# ./kremovetkt -c /tmp/krb5cc_0 -o /tmp/removed -p krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
Skipping ticket for krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
Keeping ticket for krb5_ccache_conf_data/pa_type/krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx@X-CACHECONF:
Keeping ticket for cifs/samba-dc.example.com@
root@jammy-dc:/home/ubuntu/python-krb5ccparse# kdestroy
root@jammy-dc:/home/ubuntu/python-krb5ccparse# mv /tmp/removed /tmp/krb5cc_0
root@jammy-dc:/home/ubuntu/python-krb5ccparse# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 02:03:24 06/16/25 12:03:14 cifs/samba-dc.example.com@
renew until 06/17/25 02:03:11
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
root@jammy-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@jammy-dc:/home/ubuntu/python-krb5ccparse# mount -l
...
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.79,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1,user=root)
/var/lib/snapd/snaps/core20_2599.snap on /snap/core20/2599 type squashfs (ro,nodev,relatime,errors=continue,x-gdu.hide)
The testcase still holds, and the new package doesn't introduce any
regressions.
The package in -security-proposed fixes the issue. Happy to mark
verified for jammy.
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2113906
Title:
Regression: After LP2099917 cifs.upcall leaks memory on error message
if service ticket doesn't exist
Status in cifs-utils package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
In Progress
Status in cifs-utils source package in Jammy:
In Progress
Status in cifs-utils source package in Noble:
In Progress
Status in cifs-utils source package in Oracular:
In Progress
Status in cifs-utils source package in Plucky:
In Progress
Status in cifs-utils source package in Questing:
Fix Released
Bug description:
[Impact]
There is a pretty minor memory leak in check_service_ticket_exists(), in the
order of about 56ish bytes give or take, caused by not freeing the error
messages introduced by bug 2099917.
-release: definitely lost: 0 bytes in 0 blocks
-security/-updates regression: 56 bytes in 1 blocks
Include a fix that releases the memory, so failing cifs mounts don't leak
memory over long periods of time and cause memory exhaustion.
[Testcase]
We need to wrap cifs.upcall with a valgrind script:
$ sudo apt install valgrind
$ cat << EOF | sudo tee /usr/sbin/cifs.upcall.wrapper
#!/bin/bash
/usr/bin/valgrind /usr/sbin/cifs.upcall.bin "\$@" &> /home/ubuntu/valgrind.log
EOF
$ sudo chmod +x /usr/sbin/cifs.upcall.wrapper
$ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin
$ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall
$ kdestroy
$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1925]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x776
cifs.upcall[1926]: ver=2
cifs.upcall[1926]: host=samba-dc.example.com
cifs.upcall[1926]: ip=192.168.122.248
cifs.upcall[1926]: sec=1
cifs.upcall[1926]: uid=0
cifs.upcall[1926]: creduid=1000
cifs.upcall[1926]: user=root
cifs.upcall[1926]: pid=1910
cifs.upcall[1925]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1925]: get_cachename_from_process_env: pid == 0
cifs.upcall[1925]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
cifs.upcall[1925]: get_tgt_time: unable to get principal
cifs.upcall[1925]: main: valid TGT is not present in credential cache
cifs.upcall[1925]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[1925]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1925]: handle_krb5_mech: using GSS-API
cifs.upcall[1925]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[1925]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
cifs.upcall[1925]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[1925]: Unable to obtain service ticket
cifs.upcall[1925]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
We are looking for the string:
cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
since check_service_ticket_exists() leaks the memory on this log line.
$ cat /home/ubuntu/valgrind.log
==1963== Memcheck, a memory error detector
==1963== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==1963== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==1963== Command: /usr/sbin/cifs.upcall.bin 920301411
==1963==
==1964==
==1964== HEAP SUMMARY:
==1964== in use at exit: 130 bytes in 1 blocks
==1964== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated
==1964==
==1964== LEAK SUMMARY:
==1964== definitely lost: 0 bytes in 0 blocks
==1964== indirectly lost: 0 bytes in 0 blocks
==1964== possibly lost: 0 bytes in 0 blocks
==1964== still reachable: 130 bytes in 1 blocks
==1964== suppressed: 0 bytes in 0 blocks
==1964== Rerun with --leak-check=full to see details of leaked memory
==1964==
==1964== For lists of detected and suppressed errors, rerun with: -s
==1964== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1963==
==1963== HEAP SUMMARY:
==1963== in use at exit: 3,690 bytes in 13 blocks
==1963== total heap usage: 756 allocs, 743 frees, 353,517 bytes allocated
==1963==
==1963== LEAK SUMMARY:
==1963== definitely lost: 56 bytes in 1 blocks
==1963== indirectly lost: 0 bytes in 0 blocks
==1963== possibly lost: 0 bytes in 0 blocks
==1963== still reachable: 3,634 bytes in 12 blocks
==1963== suppressed: 0 bytes in 0 blocks
==1963== Rerun with --leak-check=full to see details of leaked memory
==1963==
==1963== For lists of detected and suppressed errors, rerun with: -s
==1963== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1963== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1963-by-???-on-???
==1963== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1963-by-???-on-???
There are test packages available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-
test
The test packages should act just like the packages in -release:
==2152== Memcheck, a memory error detector
==2152== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==2152== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==2152== Command: /usr/sbin/cifs.upcall.bin 918329244
==2152==
==2153==
==2153== HEAP SUMMARY:
==2153== in use at exit: 130 bytes in 1 blocks
==2153== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated
==2153==
==2153== LEAK SUMMARY:
==2153== definitely lost: 0 bytes in 0 blocks
==2153== indirectly lost: 0 bytes in 0 blocks
==2153== possibly lost: 0 bytes in 0 blocks
==2153== still reachable: 130 bytes in 1 blocks
==2153== suppressed: 0 bytes in 0 blocks
==2153== Rerun with --leak-check=full to see details of leaked memory
==2153==
==2153== For lists of detected and suppressed errors, rerun with: -s
==2153== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==2152==
==2152== HEAP SUMMARY:
==2152== in use at exit: 3,634 bytes in 12 blocks
==2152== total heap usage: 757 allocs, 745 frees, 357,613 bytes allocated
==2152==
==2152== LEAK SUMMARY:
==2152== definitely lost: 0 bytes in 0 blocks
==2152== indirectly lost: 0 bytes in 0 blocks
==2152== possibly lost: 0 bytes in 0 blocks
==2152== still reachable: 3,634 bytes in 12 blocks
==2152== suppressed: 0 bytes in 0 blocks
==2152== Rerun with --leak-check=full to see details of leaked memory
==2152==
==2152== For lists of detected and suppressed errors, rerun with: -s
==2152== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==2152== could not unlink /tmp/vgdb-pipe-from-vgdb-to-2152-by-???-on-???
==2152== could not unlink /tmp/vgdb-pipe-to-vgdb-from-2152-by-???-on-???
==2152== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-2152-by-???-on-???
Note "definitely lost" changes from "56 bytes in 1 blocks" to "0 bytes in 0
blocks".
[Where problems can occur]
We are changing the error handling code of identifying if a service ticket
or a TGT ticket exists. The error logging code is still called all the same,
this time we save a pointer to the buffer so it can be correctly freed later on.
If a regression were to occur, it would only occur if finding a TGT or a service
ticket fails, but if it did, we likely wouldn't be successful in mounting a
share anyway, so it would lead to poor error logging and potentially further
error messages from the kernel cifs client on failure of cifs.upcall.
A workaround would be to ensure you have a valid Kerberos credential
cache.
[Other info]
This was fixed in cifs-utils 7.4 by:
commit dc013738ec1f2e67598b264fe2eabf94c5a34570
Author: Paulo Alcantara <pc@xxxxxxxxxxxxx>
Date: Tue Apr 15 13:20:52 2025 -0300
Subject: cifs.upcall: fix memory leaks in check_service_ticket_exits()
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=dc013738ec1f2e67598b264fe2eabf94c5a34570
Regression was introduced by bug:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917
This was also delivered with:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
This will be fixed alongside:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614
Its been a fragile time for the cifs-utils package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906/+subscriptions
References
