[libkgapi] [Bug 434234] New: libkdexoauth2.so causes segfault in postfix smtp during xoauth2 SASL authentication

Wed, 10 Mar 2021 05:19:50 -0800 

https://bugs.kde.org/show_bug.cgi?id=434234

            Bug ID: 434234
           Summary: libkdexoauth2.so causes segfault in postfix smtp
                    during xoauth2 SASL authentication
           Product: libkgapi
           Version: unspecified
          Platform: Debian unstable
                OS: Linux
            Status: REPORTED
          Severity: crash
          Priority: NOR
         Component: General
          Assignee: dvra...@kde.org
          Reporter: plr.vinc...@gmail.com
  Target Milestone: ---

(gdb) bt
#0  xsasl_cyrus_client_get_passwd (conn=0x55b2ee539630, context=0x4004,
id=-761575872, psecret=0x0) at xsasl_cyrus_client.c:197
#1  0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0,
id=id@entry=16388, required=required@entry=1,
result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at
./src/saslplugin/plugin_common.c:373
[snip]
(gdb) up
#1  0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0,
id=id@entry=16388, required=required@entry=1,
result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at
./src/saslplugin/plugin_common.c:373
373             ret = simple_cb(simple_context, id, result, NULL);
(gdb) print simple_context
$13 = (void *) 0x55b2ee539630
(gdb) print id
$14 = 16388
(gdb) print result
$15 = (const char **) 0x7ffed29b4640

Note how the caller (`libkdexoauth2.so`) is calling with:
- context
- id
- result
- null

but xsasl_cyrus_client_get_passwd's signature is:

  sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret

which causes `id` to end up in `context` (and so on), then `context` gets
promptly dereferenced and causes the segfault.

I believe the bug is in `xoauth2_client_mech_step`:

        /* We don't use _plug_get_password because we don't really care much
about
           safety of the OAuth token */
        token_result = _plug_get_simple(utils, SASL_CB_PASS, 1, &token,
prompt_need);

Both functions are *not* interchangeable in how they call the plugin:

int _plug_get_simple(const sasl_utils_t *utils, unsigned int id, int required,
                     const char **result, sasl_interact_t **prompt_need)
// ...
        ret = simple_cb(simple_context, id, result, NULL);

vs

int _plug_get_password(const sasl_utils_t *utils, sasl_secret_t **password,
                       unsigned int *iscopy, sasl_interact_t **prompt_need)
// ...
        ret = pass_cb(utils->conn, pass_context, SASL_CB_PASS, password);

Also, the structure of returned value is incompatible: the former returns a
`char *`, the latter a `sasl_secret_t *`.

If this code is working against an SASL client, this suggests that client has a
similarly incorrect API, and fixing this code may break that client.

On an unrelated note, may I suggest disabling the bug trackers on
invent.kde.org if that is not intended to be used ?

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to