Use-after free if more sudo requests run and one of them fails, causing a fail-over to a next server #4586
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3562
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1498734
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
We used to remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.
If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
Comments
Comment from jhrozek at 2017-10-31 22:14:50
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-10-31 22:20:12
PR: #429
Comment from jhrozek at 2017-10-31 22:20:13
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-10-31 22:20:40
The only question before triage is if this affects also other branches, i.e. if we should apply the patch to sssd-1-13 as well.
Comment from lslebodn at 2017-10-31 23:13:20
master:
sssd-1-14:
Version for 1.13 could be easily done with cherry-pixk. There is just trivial conflict due to fq names refactoring
sdap_sudo_qualify_namesComment from jhrozek at 2017-11-02 15:00:07
@pbrezina could you prepare a sssd-1-13 backport when you're done with the access control attestation tool?
If you prefer, I can open a sssd-1-13 ticket just asking for the backport..
Comment from jhrozek at 2017-11-02 15:01:42
Metadata Update from @jhrozek:
Comment from pbrezina at 2017-11-06 12:12:47
PR for 1.13:
https//github.com//pull/439
Comment from lslebodn at 2017-11-10 14:28:19
sssd-1-13:
Comment from lslebodn at 2017-11-10 14:28:32
Metadata Update from @lslebodn:
The text was updated successfully, but these errors were encountered: