Bug 434234 - libkdexoauth2.so causes segfault in postfix smtp during xoauth2 SASL authentication
Summary: libkdexoauth2.so causes segfault in postfix smtp during xoauth2 SASL authenti...
Status: REPORTED
Alias: None
Product: libkgapi
Classification: Frameworks and Libraries
Component: General (other bugs)
Version First Reported In: unspecified
Platform: Debian unstable Linux
: NOR crash
Target Milestone: ---
Assignee: Daniel Vrátil
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-10 13:19 UTC by Vincent Pelletier
Modified: 2021-03-10 13:19 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Pelletier 2021-03-10 13:19:34 UTC 
(gdb) bt
#0  xsasl_cyrus_client_get_passwd (conn=0x55b2ee539630, context=0x4004, id=-761575872, psecret=0x0) at xsasl_cyrus_client.c:197
#1  0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0, id=id@entry=16388, required=required@entry=1, result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at ./src/saslplugin/plugin_common.c:373
[snip]
(gdb) up
#1  0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0, id=id@entry=16388, required=required@entry=1, result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at ./src/saslplugin/plugin_common.c:373
373             ret = simple_cb(simple_context, id, result, NULL);
(gdb) print simple_context
$13 = (void *) 0x55b2ee539630
(gdb) print id
$14 = 16388
(gdb) print result
$15 = (const char **) 0x7ffed29b4640

Note how the caller (`libkdexoauth2.so`) is calling with:
- context
- id
- result
- null

but xsasl_cyrus_client_get_passwd's signature is:

  sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret

which causes `id` to end up in `context` (and so on), then `context` gets promptly dereferenced and causes the segfault.

I believe the bug is in `xoauth2_client_mech_step`:

        /* We don't use _plug_get_password because we don't really care much about
           safety of the OAuth token */
        token_result = _plug_get_simple(utils, SASL_CB_PASS, 1, &token, prompt_need);

Both functions are *not* interchangeable in how they call the plugin:

int _plug_get_simple(const sasl_utils_t *utils, unsigned int id, int required,
                     const char **result, sasl_interact_t **prompt_need)
// ...
        ret = simple_cb(simple_context, id, result, NULL);

vs

int _plug_get_password(const sasl_utils_t *utils, sasl_secret_t **password,
                       unsigned int *iscopy, sasl_interact_t **prompt_need)
// ...
        ret = pass_cb(utils->conn, pass_context, SASL_CB_PASS, password);

Also, the structure of returned value is incompatible: the former returns a `char *`, the latter a `sasl_secret_t *`.

If this code is working against an SASL client, this suggests that client has a similarly incorrect API, and fixing this code may break that client.

On an unrelated note, may I suggest disabling the bug trackers on invent.kde.org if that is not intended to be used ?