** Description changed: [Impact] There is a pretty minor memory leak in check_service_ticket_exists(), in the order of about 56ish bytes give or take, caused by not freeing the error messages introduced by bug 2099917. -release: definitely lost: 0 bytes in 0 blocks -security/-updates regression: 56 bytes in 1 blocks Include a fix that releases the memory, so failing cifs mounts don't leak memory over long periods of time and cause memory exhaustion. [Testcase] We need to wrap cifs.upcall with a valgrind script: + $ sudo apt install valgrind $ cat << EOF | sudo tee /usr/sbin/cifs.upcall.wrapper #!/bin/bash /usr/bin/valgrind /usr/sbin/cifs.upcall.bin "$@" &> /home/ubuntu/valgrind.log" EOF $ sudo chmod +x /usr/sbin/cifs.upcall.wrapper $ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin $ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall $ kdestroy $ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1925]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x776 cifs.upcall[1926]: ver=2 cifs.upcall[1926]: host=samba-dc.example.com cifs.upcall[1926]: ip=192.168.122.248 cifs.upcall[1926]: sec=1 cifs.upcall[1926]: uid=0 cifs.upcall[1926]: creduid=1000 cifs.upcall[1926]: user=root cifs.upcall[1926]: pid=1910 cifs.upcall[1925]: upcall_target=app, switching namespaces to application thread cifs.upcall[1925]: get_cachename_from_process_env: pid == 0 cifs.upcall[1925]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) cifs.upcall[1925]: get_tgt_time: unable to get principal cifs.upcall[1925]: main: valid TGT is not present in credential cache cifs.upcall[1925]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1925]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1925]: handle_krb5_mech: using GSS-API cifs.upcall[1925]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[1925]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) cifs.upcall[1925]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[1925]: Unable to obtain service ticket cifs.upcall[1925]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS: VFS: cifs_mount failed w/return code = -126 We are looking for the string: cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) since check_service_ticket_exists() leaks the memory on this log line. $ cat /home/ubuntu/valgrind.log ==1963== Memcheck, a memory error detector ==1963== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==1963== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==1963== Command: /usr/sbin/cifs.upcall.bin 920301411 - ==1963== - ==1964== + ==1963== + ==1964== ==1964== HEAP SUMMARY: ==1964== in use at exit: 130 bytes in 1 blocks ==1964== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated - ==1964== + ==1964== ==1964== LEAK SUMMARY: ==1964== definitely lost: 0 bytes in 0 blocks ==1964== indirectly lost: 0 bytes in 0 blocks ==1964== possibly lost: 0 bytes in 0 blocks ==1964== still reachable: 130 bytes in 1 blocks ==1964== suppressed: 0 bytes in 0 blocks ==1964== Rerun with --leak-check=full to see details of leaked memory - ==1964== + ==1964== ==1964== For lists of detected and suppressed errors, rerun with: -s ==1964== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) - ==1963== + ==1963== ==1963== HEAP SUMMARY: ==1963== in use at exit: 3,690 bytes in 13 blocks ==1963== total heap usage: 756 allocs, 743 frees, 353,517 bytes allocated - ==1963== + ==1963== ==1963== LEAK SUMMARY: ==1963== definitely lost: 56 bytes in 1 blocks ==1963== indirectly lost: 0 bytes in 0 blocks ==1963== possibly lost: 0 bytes in 0 blocks ==1963== still reachable: 3,634 bytes in 12 blocks ==1963== suppressed: 0 bytes in 0 blocks ==1963== Rerun with --leak-check=full to see details of leaked memory - ==1963== + ==1963== ==1963== For lists of detected and suppressed errors, rerun with: -s ==1963== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1963== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1963-by-???-on-??? ==1963== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1963-by-???-on-??? There are test packages available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-test The test packages should act just like the packages in -release: ==2152== Memcheck, a memory error detector ==2152== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==2152== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==2152== Command: /usr/sbin/cifs.upcall.bin 918329244 - ==2152== - ==2153== + ==2152== + ==2153== ==2153== HEAP SUMMARY: ==2153== in use at exit: 130 bytes in 1 blocks ==2153== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated - ==2153== + ==2153== ==2153== LEAK SUMMARY: ==2153== definitely lost: 0 bytes in 0 blocks ==2153== indirectly lost: 0 bytes in 0 blocks ==2153== possibly lost: 0 bytes in 0 blocks ==2153== still reachable: 130 bytes in 1 blocks ==2153== suppressed: 0 bytes in 0 blocks ==2153== Rerun with --leak-check=full to see details of leaked memory - ==2153== + ==2153== ==2153== For lists of detected and suppressed errors, rerun with: -s ==2153== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) - ==2152== + ==2152== ==2152== HEAP SUMMARY: ==2152== in use at exit: 3,634 bytes in 12 blocks ==2152== total heap usage: 757 allocs, 745 frees, 357,613 bytes allocated - ==2152== + ==2152== ==2152== LEAK SUMMARY: ==2152== definitely lost: 0 bytes in 0 blocks ==2152== indirectly lost: 0 bytes in 0 blocks ==2152== possibly lost: 0 bytes in 0 blocks ==2152== still reachable: 3,634 bytes in 12 blocks ==2152== suppressed: 0 bytes in 0 blocks ==2152== Rerun with --leak-check=full to see details of leaked memory - ==2152== + ==2152== ==2152== For lists of detected and suppressed errors, rerun with: -s ==2152== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==2152== could not unlink /tmp/vgdb-pipe-from-vgdb-to-2152-by-???-on-??? ==2152== could not unlink /tmp/vgdb-pipe-to-vgdb-from-2152-by-???-on-??? ==2152== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-2152-by-???-on-??? - Note "definitely lost" changes from "56 bytes in 1 blocks" to "0 bytes in 0 + Note "definitely lost" changes from "56 bytes in 1 blocks" to "0 bytes in 0 blocks". [Where problems can occur] We are changing the error handling code of identifying if a service ticket or a TGT ticket exists. The error logging code is still called all the same, this time we save a pointer to the buffer so it can be correctly freed later on. If a regression were to occur, it would only occur if finding a TGT or a service ticket fails, but if it did, we likely wouldn't be successful in mounting a share anyway, so it would lead to poor error logging and potentially further error messages from the kernel cifs client on failure of cifs.upcall. A workaround would be to ensure you have a valid Kerberos credential cache. [Other info] This was fixed in cifs-utils 7.4 by: commit dc013738ec1f2e67598b264fe2eabf94c5a34570 Author: Paulo Alcantara <[email protected]> Date: Tue Apr 15 13:20:52 2025 -0300 Subject: cifs.upcall: fix memory leaks in check_service_ticket_exits() Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=dc013738ec1f2e67598b264fe2eabf94c5a34570 Regression was introduced by bug: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917 This was also delivered with: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914 This will be fixed alongside: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614 Its been a fragile time for the cifs-utils package.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2113906 Title: Regression: After LP2099917 cifs.upcall leaks memory on error message if service ticket doesn't exist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
