Bug#941493: /usr/bin/smbclient: smbclient segfaults when used with KCM kerberos credentials cache

[Sam Morris]

Package: smbclient
Version: 2:4.10.8+dfsg-1
Severity: normal
File: /usr/bin/smbclient

It appears that smbclient can't make use of the KCM kerberos credentials
cache (as implemented by sssd-kcm). It attempts to fall back to asking
for a password, but then segfaults:

        $ echo $KRB5CCNAME
        KCM:

        $ smbclient '//server.example.com/documentation$'
        Unable to initialize messaging context
        Enter sam.mor...@example.com's password: 
        Failed to resolve credential cache 'KCM:'! (Unknown credential cache 
type)
        free(): double free detected in tcache 2
        Aborted (core dumped)

Here's the backtrace:

        #0  0x00007ffff7484081 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:50
        #1  0x00007ffff746f535 in __GI_abort () at abort.c:79
        #2  0x00007ffff74c5db8 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7ffff75d0aae "%s\n") at ../sysdeps/posix/libc_fatal.c:181
        #3  0x00007ffff74cc48a in malloc_printerr (str=str@entry=0x7ffff75d2768 
"free(): double free detected in tcache 2") at malloc.c:5361
        #4  0x00007ffff74cde4d in _int_free (av=0x7ffff7603c40 <main_arena>, 
p=0x555555590b60, have_lock=<optimized out>) at malloc.c:4215
        #5  0x00007ffff6ccc925 in krb5_free_context (context=0x5555555cd0d0) at 
../../source4/heimdal/lib/krb5/context.c:595
        #6  0x00007ffff729a3bd in gse_context_destructor (ptr=<optimized out>) 
at ../../source3/librpc/crypto/gse.c:84
        #7  0x00007ffff773413e in  () at 
/usr/lib/x86_64-linux-gnu/libtalloc.so.2
        #8  0x00007ffff729b05c in gse_context_init 
(mem_ctx=mem_ctx@entry=0x5555555cd040, do_sign=<optimized out>, 
do_seal=<optimized out>, add_gss_c_flags=<optimized out>, 
_gse_ctx=_gse_ctx@entry=0x7fffffffce30, ccache_name=<optimized out>) at 
../../source3/librpc/crypto/gse.c:241
        #9  0x00007ffff729b223 in gse_init_client (ccache_name=0x0, 
realm=<optimized out>, username=<optimized out>, password=<optimized out>, 
_gse_ctx=<synthetic pointer>, add_gss_c_flags=<optimized out>, 
service=0x5555555cb060 "cifs", server=0x5555555caaf0 "server.example.com", 
do_seal=<optimized out>, do_sign=<optimized out>, mem_ctx=0x5555555cd040) at 
../../source3/librpc/crypto/gse.c:268
        #10 0x00007ffff729b223 in gensec_gse_client_start 
(gensec_security=0x5555555cd040) at ../../source3/librpc/crypto/gse.c:786
        #11 0x00007ffff71efef3 in gensec_start_mech 
(gensec_security=0x5555555cd040) at ../../auth/gensec/gensec_start.c:743
        #12 0x00007ffff71efef3 in gensec_start_mech 
(gensec_security=0x5555555cd040) at ../../auth/gensec/gensec_start.c:704
        #13 0x00007ffff71f39ce in gensec_spnego_client_negTokenInit_step 
(gensec_security=0x5555555c1e20, spnego_state=0x5555555c4750, n=0x5555555cc800, 
spnego_in=<optimized out>, last_status=..., in_mem_ctx=<optimized out>, 
in_next=0x5555555cc758) at ../../auth/gensec/spnego.c:624
        #14 0x00007ffff71f3f99 in gensec_spnego_client_negTokenInit_start 
(gensec_security=0x5555555c1e20, spnego_state=0x5555555c4750, n=0x5555555cc800, 
spnego_in=0x5555555cc6c8, in_mem_ctx=0x5555555cc6a0, in_next=0x5555555cc758) at 
../../auth/gensec/spnego.c:528
        #15 0x00007ffff71f4ce4 in gensec_spnego_update_pre (req=0x5555555cc4f0) 
at ../../auth/gensec/spnego.c:1913
        #16 0x00007ffff71f4ce4 in gensec_spnego_update_send (mem_ctx=<optimized 
out>, ev=0x5555555a97f0, gensec_security=<optimized out>, in=...) at 
../../auth/gensec/spnego.c:1711
        #17 0x00007ffff71eee58 in gensec_update_send (mem_ctx=<optimized out>, 
ev=0x5555555a97f0, gensec_security=0x5555555c1e20, in=...) at 
../../auth/gensec/gensec.c:449
        #18 0x00007ffff7a7e986 in cli_session_setup_gensec_local_next 
(req=0x5555555c6c60) at ../../source3/libsmb/cliconnect.c:1016
        #19 0x00007ffff7a803e0 in cli_session_setup_gensec_send 
(target_service=0x7ffff7ab7041 "cifs", target_hostname=0x5555555c0d10 
"server.example.com", creds=0x5555555abd70, cli=0x5555555abd70, 
ev=0x5555555a97f0, mem_ctx=<optimized out>) at 
../../source3/libsmb/cliconnect.c:996
        #20 0x00007ffff7a803e0 in cli_session_setup_spnego_send 
(creds=0x5555555abd70, cli=0x5555555abd70, ev=0x5555555a97f0, 
mem_ctx=<optimized out>) at ../../source3/libsmb/cliconnect.c:1308
        #21 0x00007ffff7a803e0 in cli_session_setup_creds_send 
(mem_ctx=mem_ctx@entry=0x5555555a97f0, ev=ev@entry=0x5555555a97f0, 
cli=cli@entry=0x5555555abd70, creds=creds@entry=0x5555555b2130) at 
../../source3/libsmb/cliconnect.c:1467
        #22 0x00007ffff7a80b6d in cli_session_setup_creds (cli=0x5555555abd70, 
creds=creds@entry=0x5555555b2130) at ../../source3/libsmb/cliconnect.c:1805
        #23 0x00007ffff7a9c517 in do_connect (ctx=ctx@entry=0x5555555a8c70, 
server=<optimized out>, server@entry=0x0, share=share@entry=0x5555555be0f0 
"\\\\server.example.com\\documentation$", auth_info=0x5555555b20a0, 
force_encrypt=<optimized out>, max_protocol=max_protocol@entry=13, port=0, 
name_type=32, pcli=0x7fffffffd1d0) at ../../source3/libsmb/clidfs.c:236
        #24 0x00007ffff7a9ca68 in cli_cm_connect (ctx=ctx@entry=0x5555555a8c70, 
referring_cli=referring_cli@entry=0x0, server=server@entry=0x0, 
share=share@entry=0x5555555be0f0 "\\\\server.example.com\\documentation$", 
auth_info=<optimized out>, force_encrypt=force_encrypt@entry=false, 
max_protocol=13, port=0, name_type=32, pcli=0x7fffffffd230) at 
../../source3/libsmb/clidfs.c:339
        #25 0x00007ffff7a9cbef in cli_cm_open (ctx=0x5555555a8c70, 
referring_cli=0x0, server=0x0, share=0x5555555be0f0 
"\\\\server.example.com\\documentation$", auth_info=<optimized out>, 
force_encrypt=<optimized out>, max_protocol=13, port=0, name_type=32, 
pcli=0x55555557b398 <cli>) at ../../source3/libsmb/clidfs.c:441
        #26 0x000055555555e1c8 in main ()

-- System Information:
Debian Release: 10.1
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), 
(550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 
'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages smbclient depends on:
ii  dpkg          1.19.7
ii  libarchive13  3.3.3-4
ii  libbsd0       0.9.1-2
ii  libc6         2.29-1
ii  libpopt0      1.16-12
ii  libreadline8  8.0-3
ii  libsmbclient  2:4.10.8+dfsg-1
ii  libtalloc2    2.3.0-2
ii  libtevent0    0.10.1-3
ii  libwbclient0  2:4.10.8+dfsg-1
ii  samba-common  2:4.10.8+dfsg-1
ii  samba-libs    2:4.10.8+dfsg-1

smbclient recommends no packages.

Versions of packages smbclient suggests:
ii  cifs-utils       2:6.8-2
pn  heimdal-clients  <none>

-- no debconf information