Debdiffs for this bug are over on the primary bug: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614
I won't fix questing, we will just sync the new release when it arrives in debian. ** Description changed: [Impact] + + There is a pretty minor memory leak in check_service_ticket_exists(), in the + order of about 56ish bytes give or take, caused by not freeing the error + messages introduced by bug 2099917. + + -release: definitely lost: 0 bytes in 0 blocks + -security/-updates regression: 56 bytes in 1 blocks + + Include a fix that releases the memory, so failing cifs mounts don't leak + memory over long periods of time and cause memory exhaustion. [Testcase] + We need to wrap cifs.upcall with a valgrind script: + + $ cat << EOF | sudo tee /usr/sbin/cifs.upcall.wrapper + #!/bin/bash + /usr/bin/valgrind /usr/sbin/cifs.upcall.bin "$@" &> /home/ubuntu/valgrind.log" + EOF + $ sudo chmod +x /usr/sbin/cifs.upcall.wrapper + $ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin + $ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall + + $ kdestroy + $ klist + klist: No credentials cache found (filename: /tmp/krb5cc_1000) + $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 + mount error(126): Required key not available + Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) + $ journalctl -b0 + kernel: CIFS: Attempting to mount //samba-dc.example.com/demo + cifs.upcall[1925]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x776 + cifs.upcall[1926]: ver=2 + cifs.upcall[1926]: host=samba-dc.example.com + cifs.upcall[1926]: ip=192.168.122.248 + cifs.upcall[1926]: sec=1 + cifs.upcall[1926]: uid=0 + cifs.upcall[1926]: creduid=1000 + cifs.upcall[1926]: user=root + cifs.upcall[1926]: pid=1910 + cifs.upcall[1925]: upcall_target=app, switching namespaces to application thread + cifs.upcall[1925]: get_cachename_from_process_env: pid == 0 + cifs.upcall[1925]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 + cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) + cifs.upcall[1925]: get_tgt_time: unable to get principal + cifs.upcall[1925]: main: valid TGT is not present in credential cache + cifs.upcall[1925]: krb5_get_init_creds_keytab: -1765328378 + cifs.upcall[1925]: handle_krb5_mech: getting service ticket for samba-dc.example.com + cifs.upcall[1925]: handle_krb5_mech: using GSS-API + cifs.upcall[1925]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible + cifs.upcall[1925]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + cifs.upcall[1925]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) + cifs.upcall[1925]: Unable to obtain service ticket + cifs.upcall[1925]: Exit status 458752 + kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed + kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 + kernel: CIFS: VFS: cifs_mount failed w/return code = -126 + + We are looking for the string: + cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) + since check_service_ticket_exists() leaks the memory on this log line. + + $ cat /home/ubuntu/valgrind.log + ==1963== Memcheck, a memory error detector + ==1963== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. + ==1963== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info + ==1963== Command: /usr/sbin/cifs.upcall.bin 920301411 + ==1963== + ==1964== + ==1964== HEAP SUMMARY: + ==1964== in use at exit: 130 bytes in 1 blocks + ==1964== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated + ==1964== + ==1964== LEAK SUMMARY: + ==1964== definitely lost: 0 bytes in 0 blocks + ==1964== indirectly lost: 0 bytes in 0 blocks + ==1964== possibly lost: 0 bytes in 0 blocks + ==1964== still reachable: 130 bytes in 1 blocks + ==1964== suppressed: 0 bytes in 0 blocks + ==1964== Rerun with --leak-check=full to see details of leaked memory + ==1964== + ==1964== For lists of detected and suppressed errors, rerun with: -s + ==1964== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + ==1963== + ==1963== HEAP SUMMARY: + ==1963== in use at exit: 3,690 bytes in 13 blocks + ==1963== total heap usage: 756 allocs, 743 frees, 353,517 bytes allocated + ==1963== + ==1963== LEAK SUMMARY: + ==1963== definitely lost: 56 bytes in 1 blocks + ==1963== indirectly lost: 0 bytes in 0 blocks + ==1963== possibly lost: 0 bytes in 0 blocks + ==1963== still reachable: 3,634 bytes in 12 blocks + ==1963== suppressed: 0 bytes in 0 blocks + ==1963== Rerun with --leak-check=full to see details of leaked memory + ==1963== + ==1963== For lists of detected and suppressed errors, rerun with: -s + ==1963== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + ==1963== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1963-by-???-on-??? + ==1963== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1963-by-???-on-??? + + There are test packages available in the following ppa: + + https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-test + + The test packages should act just like the packages in -release: + + ==2152== Memcheck, a memory error detector + ==2152== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. + ==2152== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info + ==2152== Command: /usr/sbin/cifs.upcall.bin 918329244 + ==2152== + ==2153== + ==2153== HEAP SUMMARY: + ==2153== in use at exit: 130 bytes in 1 blocks + ==2153== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated + ==2153== + ==2153== LEAK SUMMARY: + ==2153== definitely lost: 0 bytes in 0 blocks + ==2153== indirectly lost: 0 bytes in 0 blocks + ==2153== possibly lost: 0 bytes in 0 blocks + ==2153== still reachable: 130 bytes in 1 blocks + ==2153== suppressed: 0 bytes in 0 blocks + ==2153== Rerun with --leak-check=full to see details of leaked memory + ==2153== + ==2153== For lists of detected and suppressed errors, rerun with: -s + ==2153== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + ==2152== + ==2152== HEAP SUMMARY: + ==2152== in use at exit: 3,634 bytes in 12 blocks + ==2152== total heap usage: 757 allocs, 745 frees, 357,613 bytes allocated + ==2152== + ==2152== LEAK SUMMARY: + ==2152== definitely lost: 0 bytes in 0 blocks + ==2152== indirectly lost: 0 bytes in 0 blocks + ==2152== possibly lost: 0 bytes in 0 blocks + ==2152== still reachable: 3,634 bytes in 12 blocks + ==2152== suppressed: 0 bytes in 0 blocks + ==2152== Rerun with --leak-check=full to see details of leaked memory + ==2152== + ==2152== For lists of detected and suppressed errors, rerun with: -s + ==2152== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + ==2152== could not unlink /tmp/vgdb-pipe-from-vgdb-to-2152-by-???-on-??? + ==2152== could not unlink /tmp/vgdb-pipe-to-vgdb-from-2152-by-???-on-??? + ==2152== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-2152-by-???-on-??? + + Note "definitely lost" changes from "56 bytes in 1 blocks" to "0 bytes in 0 + blocks". + [Where problems can occur] + + We are changing the error handling code of identifying if a service ticket + or a TGT ticket exists. The error logging code is still called all the same, + this time we save a pointer to the buffer so it can be correctly freed later on. + + If a regression were to occur, it would only occur if finding a TGT or a service + ticket fails, but if it did, we likely wouldn't be successful in mounting a + share anyway, so it would lead to poor error logging and potentially further + error messages from the kernel cifs client on failure of cifs.upcall. + + A workaround would be to ensure you have a valid Kerberos credential + cache. [Other info] This was fixed in cifs-utils 7.4 by: commit dc013738ec1f2e67598b264fe2eabf94c5a34570 Author: Paulo Alcantara <p...@manguebit.com> - Date: Tue Apr 15 13:20:52 2025 -0300 + Date: Tue Apr 15 13:20:52 2025 -0300 Subject: cifs.upcall: fix memory leaks in check_service_ticket_exits() Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=dc013738ec1f2e67598b264fe2eabf94c5a34570 Regression was introduced by bug: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917 This was also delivered with: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914 This will be fixed alongside: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614 Its been a fragile time for the cifs-utils package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2113906 Title: Regression: After LP2099917 cifs.upcall leaks memory on error message if service ticket doesn't exist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
