Performing verification for oracular. I installed cifs-utils 2:7.0-2.1ubuntu0.1 from oracular -updates.
I followed the testcase and installed valgrind and moved the wrapper script into place: ubuntu@oracular-dc:~$ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin ubuntu@oracular-dc:~$ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall ubuntu@oracular-dc:~$ kdestroy kdestroy: No credentials cache found while destroying cache ubuntu@oracular-dc:~$ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) ubuntu@oracular-dc:~$ cat valgrind.log ==1873== Memcheck, a memory error detector ==1873== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==1873== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info ==1873== Command: /usr/sbin/cifs.upcall.bin 819837775 ==1873== ==1874== ==1874== HEAP SUMMARY: ==1874== in use at exit: 130 bytes in 1 blocks ==1874== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated ==1874== ==1874== LEAK SUMMARY: ==1874== definitely lost: 0 bytes in 0 blocks ==1874== indirectly lost: 0 bytes in 0 blocks ==1874== possibly lost: 0 bytes in 0 blocks ==1874== still reachable: 130 bytes in 1 blocks ==1874== suppressed: 0 bytes in 0 blocks ==1874== Rerun with --leak-check=full to see details of leaked memory ==1874== ==1874== For lists of detected and suppressed errors, rerun with: -s ==1874== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1873== ==1873== HEAP SUMMARY: ==1873== in use at exit: 7,119 bytes in 21 blocks ==1873== total heap usage: 770 allocs, 749 frees, 357,151 bytes allocated ==1873== ==1873== LEAK SUMMARY: ==1873== definitely lost: 56 bytes in 1 blocks ==1873== indirectly lost: 0 bytes in 0 blocks ==1873== possibly lost: 0 bytes in 0 blocks ==1873== still reachable: 7,063 bytes in 20 blocks ==1873== suppressed: 0 bytes in 0 blocks ==1873== Rerun with --leak-check=full to see details of leaked memory ==1873== ==1873== For lists of detected and suppressed errors, rerun with: -s ==1873== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1873== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1873-by-???-on-??? ==1873== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1873-by-???-on-??? ==1873== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-1873-by-???-on-??? We leaked 56 bytes of memory. I then enabled -security-proposed by this ppa: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs- utils&field.status_filter=published&field.series_filter= I installed cifs-utils 2:7.0-2.1ubuntu0.2. I then again moved the valgrind wrapper script into place: ubuntu@oracular-dc:~$ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin ubuntu@oracular-dc:~$ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall ubuntu@oracular-dc:~$ kdestroy kdestroy: No credentials cache found while destroying cache ubuntu@oracular-dc:~$ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) ubuntu@oracular-dc:~$ cat valgrind.log ==1675== Memcheck, a memory error detector ==1675== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==1675== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info ==1675== Command: /usr/sbin/cifs.upcall.bin 436965008 ==1675== ==1676== ==1676== HEAP SUMMARY: ==1676== in use at exit: 130 bytes in 1 blocks ==1676== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated ==1676== ==1676== LEAK SUMMARY: ==1676== definitely lost: 0 bytes in 0 blocks ==1676== indirectly lost: 0 bytes in 0 blocks ==1676== possibly lost: 0 bytes in 0 blocks ==1676== still reachable: 130 bytes in 1 blocks ==1676== suppressed: 0 bytes in 0 blocks ==1676== Rerun with --leak-check=full to see details of leaked memory ==1676== ==1676== For lists of detected and suppressed errors, rerun with: -s ==1676== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1675== ==1675== HEAP SUMMARY: ==1675== in use at exit: 7,063 bytes in 20 blocks ==1675== total heap usage: 771 allocs, 751 frees, 361,247 bytes allocated ==1675== ==1675== LEAK SUMMARY: ==1675== definitely lost: 0 bytes in 0 blocks ==1675== indirectly lost: 0 bytes in 0 blocks ==1675== possibly lost: 0 bytes in 0 blocks ==1675== still reachable: 7,063 bytes in 20 blocks ==1675== suppressed: 0 bytes in 0 blocks ==1675== Rerun with --leak-check=full to see details of leaked memory ==1675== ==1675== For lists of detected and suppressed errors, rerun with: -s ==1675== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1675== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1675-by-???-on-??? ==1675== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1675-by-???-on-??? ==1675== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-1675-by-???-on-??? This time we don't leak any memory. Now I am just running through the testcase of bug 2099917: root@oracular-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 01:49:53 06/16/25 11:49:53 krbtgt/[email protected] renew until 06/17/25 01:49:51 root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# umount /mnt/testshare1 root@oracular-dc:/home/ubuntu# git clone https://git.nullroute.lt/hacks/python-krb5ccparse.git Cloning into 'python-krb5ccparse'... remote: Enumerating objects: 59, done. remote: Counting objects: 100% (59/59), done. remote: Compressing objects: 100% (59/59), done. remote: Total 59 (delta 28), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (59/59), 11.55 KiB | 739.00 KiB/s, done. Resolving deltas: 100% (28/28), done. root@oracular-dc:/home/ubuntu# cd python-krb5ccparse/ root@oracular-dc:/home/ubuntu/python-krb5ccparse# ./kremovetkt -c /tmp/krb5cc_0 -o /tmp/removed -p krbtgt/[email protected] Keeping ticket for krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@X-CACHECONF: Keeping ticket for krb5_ccache_conf_data/pa_type/krbtgt/[email protected]@X-CACHECONF: Skipping ticket for krbtgt/[email protected] Keeping ticket for cifs/samba-dc.example.com@ root@oracular-dc:/home/ubuntu/python-krb5ccparse# kdestroy root@oracular-dc:/home/ubuntu/python-krb5ccparse# mv /tmp/removed /tmp/krb5cc_0 root@oracular-dc:/home/ubuntu/python-krb5ccparse# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 01:50:02 06/16/25 11:49:53 cifs/samba-dc.example.com@ renew until 06/17/25 01:49:51 Ticket server: cifs/[email protected] root@oracular-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu/python-krb5ccparse# mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) The testcase still holds, and the new package doesn't introduce any regressions. The package in -security-proposed fixes the issue. Happy to mark verified for oracular. ** Tags added: verification-done-oracular -- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to cifs-utils in Ubuntu. https://bugs.launchpad.net/bugs/2113906 Title: Regression: After LP2099917 cifs.upcall leaks memory on error message if service ticket doesn't exist Status in cifs-utils package in Ubuntu: Fix Released Status in cifs-utils source package in Focal: In Progress Status in cifs-utils source package in Jammy: In Progress Status in cifs-utils source package in Noble: In Progress Status in cifs-utils source package in Oracular: In Progress Status in cifs-utils source package in Plucky: In Progress Status in cifs-utils source package in Questing: Fix Released Bug description: [Impact] There is a pretty minor memory leak in check_service_ticket_exists(), in the order of about 56ish bytes give or take, caused by not freeing the error messages introduced by bug 2099917. -release: definitely lost: 0 bytes in 0 blocks -security/-updates regression: 56 bytes in 1 blocks Include a fix that releases the memory, so failing cifs mounts don't leak memory over long periods of time and cause memory exhaustion. [Testcase] We need to wrap cifs.upcall with a valgrind script: $ sudo apt install valgrind $ cat << EOF | sudo tee /usr/sbin/cifs.upcall.wrapper #!/bin/bash /usr/bin/valgrind /usr/sbin/cifs.upcall.bin "\$@" &> /home/ubuntu/valgrind.log EOF $ sudo chmod +x /usr/sbin/cifs.upcall.wrapper $ sudo mv /usr/sbin/cifs.upcall /usr/sbin/cifs.upcall.bin $ sudo cp /usr/sbin/cifs.upcall.wrapper /usr/sbin/cifs.upcall $ kdestroy $ klist klist: No credentials cache found (filename: /tmp/krb5cc_1000) $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1925]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x776 cifs.upcall[1926]: ver=2 cifs.upcall[1926]: host=samba-dc.example.com cifs.upcall[1926]: ip=192.168.122.248 cifs.upcall[1926]: sec=1 cifs.upcall[1926]: uid=0 cifs.upcall[1926]: creduid=1000 cifs.upcall[1926]: user=root cifs.upcall[1926]: pid=1910 cifs.upcall[1925]: upcall_target=app, switching namespaces to application thread cifs.upcall[1925]: get_cachename_from_process_env: pid == 0 cifs.upcall[1925]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) cifs.upcall[1925]: get_tgt_time: unable to get principal cifs.upcall[1925]: main: valid TGT is not present in credential cache cifs.upcall[1925]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1925]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1925]: handle_krb5_mech: using GSS-API cifs.upcall[1925]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[1925]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) cifs.upcall[1925]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[1925]: Unable to obtain service ticket cifs.upcall[1925]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS: VFS: cifs_mount failed w/return code = -126 We are looking for the string: cifs.upcall[1925]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) since check_service_ticket_exists() leaks the memory on this log line. $ cat /home/ubuntu/valgrind.log ==1963== Memcheck, a memory error detector ==1963== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==1963== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==1963== Command: /usr/sbin/cifs.upcall.bin 920301411 ==1963== ==1964== ==1964== HEAP SUMMARY: ==1964== in use at exit: 130 bytes in 1 blocks ==1964== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated ==1964== ==1964== LEAK SUMMARY: ==1964== definitely lost: 0 bytes in 0 blocks ==1964== indirectly lost: 0 bytes in 0 blocks ==1964== possibly lost: 0 bytes in 0 blocks ==1964== still reachable: 130 bytes in 1 blocks ==1964== suppressed: 0 bytes in 0 blocks ==1964== Rerun with --leak-check=full to see details of leaked memory ==1964== ==1964== For lists of detected and suppressed errors, rerun with: -s ==1964== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1963== ==1963== HEAP SUMMARY: ==1963== in use at exit: 3,690 bytes in 13 blocks ==1963== total heap usage: 756 allocs, 743 frees, 353,517 bytes allocated ==1963== ==1963== LEAK SUMMARY: ==1963== definitely lost: 56 bytes in 1 blocks ==1963== indirectly lost: 0 bytes in 0 blocks ==1963== possibly lost: 0 bytes in 0 blocks ==1963== still reachable: 3,634 bytes in 12 blocks ==1963== suppressed: 0 bytes in 0 blocks ==1963== Rerun with --leak-check=full to see details of leaked memory ==1963== ==1963== For lists of detected and suppressed errors, rerun with: -s ==1963== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==1963== could not unlink /tmp/vgdb-pipe-from-vgdb-to-1963-by-???-on-??? ==1963== could not unlink /tmp/vgdb-pipe-to-vgdb-from-1963-by-???-on-??? There are test packages available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression- test The test packages should act just like the packages in -release: ==2152== Memcheck, a memory error detector ==2152== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==2152== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==2152== Command: /usr/sbin/cifs.upcall.bin 918329244 ==2152== ==2153== ==2153== HEAP SUMMARY: ==2153== in use at exit: 130 bytes in 1 blocks ==2153== total heap usage: 6 allocs, 5 frees, 4,750 bytes allocated ==2153== ==2153== LEAK SUMMARY: ==2153== definitely lost: 0 bytes in 0 blocks ==2153== indirectly lost: 0 bytes in 0 blocks ==2153== possibly lost: 0 bytes in 0 blocks ==2153== still reachable: 130 bytes in 1 blocks ==2153== suppressed: 0 bytes in 0 blocks ==2153== Rerun with --leak-check=full to see details of leaked memory ==2153== ==2153== For lists of detected and suppressed errors, rerun with: -s ==2153== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==2152== ==2152== HEAP SUMMARY: ==2152== in use at exit: 3,634 bytes in 12 blocks ==2152== total heap usage: 757 allocs, 745 frees, 357,613 bytes allocated ==2152== ==2152== LEAK SUMMARY: ==2152== definitely lost: 0 bytes in 0 blocks ==2152== indirectly lost: 0 bytes in 0 blocks ==2152== possibly lost: 0 bytes in 0 blocks ==2152== still reachable: 3,634 bytes in 12 blocks ==2152== suppressed: 0 bytes in 0 blocks ==2152== Rerun with --leak-check=full to see details of leaked memory ==2152== ==2152== For lists of detected and suppressed errors, rerun with: -s ==2152== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==2152== could not unlink /tmp/vgdb-pipe-from-vgdb-to-2152-by-???-on-??? ==2152== could not unlink /tmp/vgdb-pipe-to-vgdb-from-2152-by-???-on-??? ==2152== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-2152-by-???-on-??? Note "definitely lost" changes from "56 bytes in 1 blocks" to "0 bytes in 0 blocks". [Where problems can occur] We are changing the error handling code of identifying if a service ticket or a TGT ticket exists. The error logging code is still called all the same, this time we save a pointer to the buffer so it can be correctly freed later on. If a regression were to occur, it would only occur if finding a TGT or a service ticket fails, but if it did, we likely wouldn't be successful in mounting a share anyway, so it would lead to poor error logging and potentially further error messages from the kernel cifs client on failure of cifs.upcall. A workaround would be to ensure you have a valid Kerberos credential cache. [Other info] This was fixed in cifs-utils 7.4 by: commit dc013738ec1f2e67598b264fe2eabf94c5a34570 Author: Paulo Alcantara <[email protected]> Date: Tue Apr 15 13:20:52 2025 -0300 Subject: cifs.upcall: fix memory leaks in check_service_ticket_exits() Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=dc013738ec1f2e67598b264fe2eabf94c5a34570 Regression was introduced by bug: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917 This was also delivered with: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914 This will be fixed alongside: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614 Its been a fragile time for the cifs-utils package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
