Re: Issue 554905 in chromium: Chrome crashes when going through Kerberos authentication

[chro...@googlecode.com]

Updates:
Labels: -Restrict-View-EditIssue -Needs-Feedback OS-Linux

Comment #5 on issue 554905 by raphael.ku...@intel.com: Chrome
crashes when going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

(No comment was entered for this change.)

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #6 on issue 554905 by snild.do...@sonymobile.com: Chrome crashes

when going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

Reproduced with 47.0.2526.80 on Ubuntu 14.04. Might be interesting to note
that my account (active directory, I guess..?) was locked at the time,
making all authentication attempts fail.

Anyway, I ran a quick session in gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe0e41700 (LWP 17931)]
0x00007fffef830dc1 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2

(gdb) bt
#0 0x00007fffef830dc1 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#1 0x00007fffef814ed7 in gss_inquire_context ()
from /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#2 0x000055555683886f in ?? ()
#3 0x00007fffe0e3f1ac in ?? ()
#4 0x00007fffe0e3f1a8 in ?? ()
#5 0x00007fffe0e3f1a4 in ?? ()
#6 0x00000000000d0000 in ?? ()
#7 0x00002af90ed370c0 in ?? ()
#8 0x000055555683938b in ?? ()
#9 0x00007fffe0e3f1b0 in ?? ()
#10 0x00007fffe0e3f1ac in ?? ()
#11 0x00007fffe0e3f1a8 in ?? ()
#12 0x00007fffe0e3f1a4 in ?? ()
#13 0x0000000000000000 in ?? ()


Also seeing the same problem on Chromium Browser ("Chromium 47.0.2526.73
Ubuntu 14.04"):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc9f7a700 (LWP 21024)]
0x00007fffe5a07dc1 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2

Chromium gives us a fuller call stack, which may be useful for anyone
trying to identify the exact use case:

(gdb) bt
#0 0x00007fffe5a07dc1 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#1 0x00007fffe59ebed7 in gss_inquire_context () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#2 0x00007ffff6254068 in
net::HttpAuthGSSAPI::GetNextSecurityToken(std::string const&,
gss_buffer_desc_struct*, gss_buffer_desc_struct*) () from
/usr/lib/chromium-browser/libs/libnet.so
#3 0x00007ffff62548bf in
net::HttpAuthGSSAPI::GenerateAuthToken(net::AuthCredentials const*,
std::string const&, std::string*, base::Callback<void (int)> const&) ()
from /usr/lib/chromium-browser/libs/libnet.so
#4 0x00007ffff625a843 in
net::HttpAuthHandlerNegotiate::DoGenerateAuthToken() () from
/usr/lib/chromium-browser/libs/libnet.so
#5 0x00007ffff625ac38 in net::HttpAuthHandlerNegotiate::DoLoop(int) ()
from /usr/lib/chromium-browser/libs/libnet.so
#6 0x00007ffff625ac6e in
net::HttpAuthHandlerNegotiate::GenerateAuthTokenImpl(net::AuthCredentials
const*, net::HttpRequestInfo const*, base::Callback<void (int)> const&,
std::string*) () from /usr/lib/chromium-browser/libs/libnet.so
#7 0x00007ffff62550a4 in
net::HttpAuthHandler::GenerateAuthToken(net::AuthCredentials const*,
net::HttpRequestInfo const*, base::Callback<void (int)> const&,
std::string*) () from /usr/lib/chromium-browser/libs/libnet.so
#8 0x00007ffff6252020 in
net::HttpAuthController::MaybeGenerateAuthToken(net::HttpRequestInfo
const*, base::Callback<void (int)> const&, net::BoundNetLog const&) () from
/usr/lib/chromium-browser/libs/libnet.so
#9 0x00007ffff6271145 in
net::HttpNetworkTransaction::DoGenerateServerAuthToken() () from
/usr/lib/chromium-browser/libs/libnet.so
#10 0x00007ffff6273868 in net::HttpNetworkTransaction::DoLoop(int) ()
from /usr/lib/chromium-browser/libs/libnet.so
#11 0x00007ffff6273b57 in
net::HttpNetworkTransaction::RestartWithAuth(net::AuthCredentials const&,
base::Callback<void (int)> const&) () from
/usr/lib/chromium-browser/libs/libnet.so
#12 0x0000555555dbd7ea in ?? ()
#13 0x00007ffff626944f in
net::HttpCache::Transaction::RestartNetworkRequestWithAuth(net::AuthCredentials
const&) () from /usr/lib/chromium-browser/libs/libnet.so
#14 0x00007ffff62694dc in
net::HttpCache::Transaction::RestartWithAuth(net::AuthCredentials const&,
base::Callback<void (int)> const&) () from
/usr/lib/chromium-browser/libs/libnet.so
#15 0x00007ffff635e5b5 in
net::URLRequestHttpJob::StartTransactionInternal() () from
/usr/lib/chromium-browser/libs/libnet.so
#16 0x00007ffff635e9a0 in
net::URLRequestHttpJob::MaybeStartTransactionInternal(int) () from
/usr/lib/chromium-browser/libs/libnet.so
#17 0x00007ffff635ea6d in net::URLRequestHttpJob::StartTransaction() ()
from /usr/lib/chromium-browser/libs/libnet.so
#18 0x00007ffff635f8cb in
net::URLRequestHttpJob::OnCookiesLoaded(std::string const&) () from
/usr/lib/chromium-browser/libs/libnet.so
#19 0x00007ffff61cd569 in
net::CookieMonster::CookieMonsterTask::InvokeCallback(base::Callback<void
()>) () from /usr/lib/chromium-browser/libs/libnet.so
#20 0x00007ffff61d98d2 in
net::CookieMonster::GetCookiesWithOptionsTask::Run() () from
/usr/lib/chromium-browser/libs/libnet.so
#21 0x00007ffff61d40f0 in
net::CookieMonster::DoCookieTaskForURL(scoped_refptr<net::CookieMonster::CookieMonsterTask>
const&, GURL const&) () from /usr/lib/chromium-browser/libs/libnet.so
#22 0x00007ffff61d4c0e in
net::CookieMonster::GetCookiesWithOptionsAsync(GURL const&,
net::CookieOptions const&, base::Callback<void (std::string const&)>
const&) () from /usr/lib/chromium-browser/libs/libnet.so
#23 0x00007ffff635c9d9 in net::URLRequestHttpJob::DoLoadCookies() ()
from /usr/lib/chromium-browser/libs/libnet.so
#24 0x00007ffff61cd569 in
net::CookieMonster::CookieMonsterTask::InvokeCallback(base::Callback<void
()>) () from /usr/lib/chromium-browser/libs/libnet.so
#25 0x00007ffff61d9c17 in
net::CookieMonster::GetAllCookiesForURLWithOptionsTask::Run() () from
/usr/lib/chromium-browser/libs/libnet.so
#26 0x00007ffff61d40f0 in
net::CookieMonster::DoCookieTaskForURL(scoped_refptr<net::CookieMonster::CookieMonsterTask>
const&, GURL const&) () from /usr/lib/chromium-browser/libs/libnet.so
#27 0x00007ffff61d4855 in
net::CookieMonster::GetAllCookiesForURLAsync(GURL const&,
base::Callback<void (std::vector<net::CanonicalCookie,
std::allocator<net::CanonicalCookie> > const&)> const&) ()
from /usr/lib/chromium-browser/libs/libnet.so
#28 0x00007ffff635ebf4 in
net::URLRequestHttpJob::AddCookieHeaderAndStart() () from
/usr/lib/chromium-browser/libs/libnet.so
#29 0x00007ffff635ef60 in
net::URLRequestHttpJob::RestartTransactionWithAuth(net::AuthCredentials
const&) () from /usr/lib/chromium-browser/libs/libnet.so
#30 0x00007ffff635f248 in
net::URLRequestHttpJob::NotifyHeadersComplete() () from
/usr/lib/chromium-browser/libs/libnet.so
#31 0x00007ffff635f547 in net::URLRequestHttpJob::SaveNextCookie() ()
from /usr/lib/chromium-browser/libs/libnet.so
#32 0x00007ffff635fd89 in
net::URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int) () from
/usr/lib/chromium-browser/libs/libnet.so
#33 0x00007ffff635ffae in ?? () from
/usr/lib/chromium-browser/libs/libnet.so
#34 0x00007ffff6268da5 in net::HttpCache::Transaction::DoLoop(int) ()
from /usr/lib/chromium-browser/libs/libnet.so
#35 0x0000555555dbd609 in ?? ()
#36 0x00007ffff626f9b4 in net::HttpNetworkTransaction::DoCallback(int)
() from /usr/lib/chromium-browser/libs/libnet.so
#37 0x00007ffff629cb0c in net::HttpStreamParser::OnIOComplete(int) ()
from /usr/lib/chromium-browser/libs/libnet.so
#38 0x00007ffff6301c6f in
net::TCPClientSocket::DidCompleteReadWrite(base::Callback<void (int)>
const&, int) () from /usr/lib/chromium-browser/libs/libnet.so
#39 0x00007ffff6304241 in
net::TCPSocketPosix::ReadCompleted(scoped_refptr<net::IOBuffer> const&,
base::Callback<void (int)> const&, int) () from
/usr/lib/chromium-browser/libs/libnet.so
#40 0x00007ffff6302ea2 in ?? () from
/usr/lib/chromium-browser/libs/libnet.so
#41 0x00007ffff62f883a in net::SocketPosix::ReadCompleted() () from
/usr/lib/chromium-browser/libs/libnet.so
#42 0x00007fffec7ee0a8 in
base::MessagePumpLibevent::FileDescriptorWatcher::OnFileCanReadWithoutBlocking(int,
base::MessagePumpLibevent*) () from
/usr/lib/chromium-browser/libs/libbase.so
#43 0x00007fffec7ee20e in
base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) ()
from /usr/lib/chromium-browser/libs/libbase.so
#44 0x00007fffec88ebce in ?? () from
/usr/lib/chromium-browser/libs/libbase.so
#45 0x00007fffec7ed822 in
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () from
/usr/lib/chromium-browser/libs/libbase.so
#46 0x00007fffec83a688 in base::RunLoop::Run() () from
/usr/lib/chromium-browser/libs/libbase.so
#47 0x00007fffec81db65 in base::MessageLoop::Run() () from
/usr/lib/chromium-browser/libs/libbase.so
#48 0x00007ffff3d094f5 in
content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) () from
/usr/lib/chromium-browser/libs/libcontent.so
#49 0x00007ffff3d095fb in
content::BrowserThreadImpl::Run(base::MessageLoop*) () from
/usr/lib/chromium-browser/libs/libcontent.so
#50 0x00007fffec85b1c4 in base::Thread::ThreadMain() () from
/usr/lib/chromium-browser/libs/libbase.so
#51 0x00007fffec856d50 in ?? () from
/usr/lib/chromium-browser/libs/libbase.so
#52 0x00007fffe4c27182 in start_thread (arg=0x7fffc9f7a700) at
pthread_create.c:312
#53 0x00007fffe03fe47d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) disass
No function contains program counter for selected frame.

(gdb) disass $pc,+40
Dump of assembler code from 0x7fffe5a07dc1 to 0x7fffe5a07de9:
=> 0x00007fffe5a07dc1: mov 0x58(%rbp),%r9d
0x00007fffe5a07dc5: mov %r9d,(%rsi)
0x00007fffe5a07dc8: test %rax,%rax
0x00007fffe5a07dcb: je 0x7fffe5a07dd2
0x00007fffe5a07dcd: mov 0x5c(%rbp),%esi
0x00007fffe5a07dd0: mov %esi,(%rax)
0x00007fffe5a07dd2: mov 0x28(%rbp),%rsi
0x00007fffe5a07dd6: xor %eax,%eax
0x00007fffe5a07dd8: test %rsi,%rsi
0x00007fffe5a07ddb: je 0x7fffe5a07dfb
0x00007fffe5a07ddd: movq $0x0,0x10(%rsp)
0x00007fffe5a07de6: movq $0x0,0x8(%rsp)
End of assembler dump.

(gdb) info reg
rax 0x7fffc9f78058 140736581828696
rbx 0x7fffc9f78050 140736581828688
rcx 0x7fffc9f77f90 140736581828496
rdx 0x7fffc9f77f98 140736581828504
rsi 0x7fffc9f78054 140736581828692
rdi 0x7fffc9f78048 140736581828680
rbp 0x0 0x0
rsp 0x7fffc9f77f20 0x7fffc9f77f20
r8 0x7fffc9f7804c 140736581828684
r9 0x7fffc9f77f88 140736581828488
r10 0x7fffe5c18a30 140737048054320
r11 0x7fffe048a870 140736956246128
r12 0x7fffc9f77f88 140736581828488
r13 0x7fffc9f780d0 140736581828816
r14 0x7fffc9f780d8 140736581828824
r15 0x3529a45b62e0 58452967383776
rip 0x7fffe5a07dc1 0x7fffe5a07dc1
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

So it's a NULL pointer access (trying to access %rbp+0x58, and %rbp is 0).
Not sure if it's caused by a bug in the lib or a faulty arg from the
browser, though.

[chro...@googlecode.com]

Comment #7 on issue 554905 by snild.do...@sonymobile.com: Chrome crashes

when going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

With my account unlocked (=authentication passing), I am no longer
reproducing the crash.

[chro...@googlecode.com]

Comment #8 on issue 554905 by raphael.ku...@intel.com: Chrome

crashes when going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1295893.
This spawned some work upstream to make the library calls more resilient to
failure: https://github.com/krb5/krb5/pull/385

[chro...@googlecode.com]

Comment #9 on issue 554905 by ssamano...@chromium.org: Chrome crashes when

going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

Link to list of builds:
https://goto.google.com/bsxky

48.0.2564.48 0.44% 1 --previous beta
47.0.2526.106 16.16% 37 --latest stable

[chro...@googlecode.com]

Updates:
Labels: Cr-Internals-Network-Auth

Comment #10 on issue 554905 by cbiesin...@chromium.org: Chrome crashes when

going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #11 on issue 554905 by asa...@chromium.org: Chrome crashes when

going through Kerberos authentication
https://code.google.com/p/chromium/issues/detail?id=554905

#8: Thanks for the links. Based on https://github.com/krb5/krb5/pull/385 it
looks like we are tripping a but in the MIT Kerberos library.

The call site in //net is sound though not strictly necessary. The issue in
the library is triggered when trying to diagnose a failed
gss_init_sec_context() call by calling gss_inquire_context(). The diagnosis
isn't even displayed to the user. It's logged to the chrome_debug.log file
if logging is enabled. I filed a separate issue (issue 577205) to clean
this up since the root cause of this crash lies in the library, not in
Chrome.

I didn't look deep enough into the krb5 code to determine when this
regressed or if this was a regression.