- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: core dump using pam authentication
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-26-2007 10:42 PM
тАО11-26-2007 10:42 PM
core dump using pam authentication
I'm experiencing a core dump in a java application using JNI to call the pam module to authenticate a user.
Scanning the core I've noticed that the memory corruption is caused by the following string.
"word: "
I was able to find this word in the messages received by my conversation function. This word should be a substring of
"Password: "
I've tried to apply the latest patches available for pam but that does not fix the problem.
I read that pam call are not thread safe.
In my application there is a synchronize statement in the java code that contain the code for all the pam call, so it is not possible to have two pam calls executed at the same time in different threads.
Some chunck of code for giving you a better idea
java code
...
synchronized( PamUnixRegistryImpl.class )
{
if (pam_authenticate(s, s1) == 0) {
PasswordCheckFailedException passwordcheckfailedexception =
new PasswordCheckFailedException("Pam Authentication failed for user: " + s);
throw passwordcheckfailedexception;
}
}
...
JNI code
pam_authenticate simply call
PamUnixRegistryImpl_checkPassword (...
C code
....
extern int convert(int num_msg,struct pam_message **msg,struct
pam_response **resp,void *appdata_ptr)
{
// Initialize PAM response object and set password
struct pam_response *temp;
temp = (struct pam_response *)calloc(num_msg,sizeof(struct pam_response));
temp[0].resp_retcode = 0;
temp[0].resp = strdup((const char*)appdata_ptr);
*resp = temp;
return PAM_SUCCESS;
}
static struct pam_conv conv = {convert,NULL};
int PamUnixRegistryImpl_checkPassword (const char *username,const char *password)
{
pwd_buf_t buf;
const char *epass;
struct passwd *pwd;
long last_update, max_age, min_age;
time_t now;
int local_user;
pam_handle_t *pamh=NULL;
int retval;
struct pam_response *pp=NULL;
conv.appdata_ptr = password;
local_user = 0;
// initialize PAM
printf("pam_checkPassword\n");
fflush(stdout);
retval = pam_start("checkpassword", username, &conv, &pamh);
if (retval == PAM_SUCCESS)
{
retval = pam_authenticate(pamh, PAM_SILENT);
printf("pam_authenticate\n");
fflush(stdout);
if (retval != PAM_SUCCESS)
{
pam_end(pamh,retval);
pamh = NULL;
return 0;
}
// End PAM Session
if (pam_end(pamh,retval) != PAM_SUCCESS)
{
pamh = NULL;
return 0;
}
}
else
{
try a local authentication without PAM
}
return 1;
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-26-2007 11:22 PM
тАО11-26-2007 11:22 PM
Re: core dump using pam authentication
If you want your code debugged, move to the next response because I don't understand your code.
I'd take some time to investigate your /etc/pam.d/ authentication. Make sure PAM is up to date and the system has a recent bi-annual patch.
I'd also make sure Java itself is updated to a recent, stable release.
Any of these factors can cause problems. I'd also be interested to know which pam authentication module your code intends to use to authenticate. Your system may need changes to /etc/nsswitch.conf to accommodate this.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 12:06 AM
тАО11-27-2007 12:06 AM
Re: core dump using pam authentication
I think the pam configuration is ok because the system work for a while before crashing. Java patch and PAM patches are OK (at least I think).
I forgot to say that I'm running my code on hp 11.23 v2 on IA64. The code is 64 bit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 12:06 AM
тАО11-27-2007 12:06 AM
Re: core dump using pam authentication
Pam is actually use to authenticate OS user only.
I think the pam configuration is ok because the system work for a while before crashing. Java patch and PAM patches are OK (at least I think).
I forgot to say that I'm running my code on hp 11.23 v2 on IA64. The code is 64 bit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 03:10 AM
тАО11-27-2007 03:10 AM
Re: core dump using pam authentication
Do you have a stack trace that points to the line in your source above?
>Scanning the core I've noticed that the memory corruption is caused by the following string. "word: "
>I was able to find this word in the messages received by my conversation function.
What do you mean by scanning? You must debug the problem and print out variables.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 03:36 AM
тАО11-27-2007 03:36 AM
Re: core dump using pam authentication
#1 0xc00000000490ae10:0 in _malloc+0x7d0 () from /usr/lib/hpux64/libc.so.1
#2 0xc000000004915fb0:0 in malloc+0x140 () from /usr/lib/hpux64/libc.so.1
#3 0x9fffffffbf0b1770:0 in nnfun2a+0x310 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#4 0x9fffffffbf0b0ec0:0 in nnfsn2a+0x80 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#5 0x9fffffffbf0820b0:0 in niqname+0x350 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#6 0x9fffffffbeeb9c40:0 in kwfnran+0x220 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#7 0x9fffffffbee549f0:0 in kwfcinit+0x210 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#8 0x9fffffffc0372440 in
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#9 0x9fffffffbec5ec40:0 in OCIServerAttach+0xe0 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
this is the top of the stack trace
disassembling the part that fails I have noticed
0xc00000000490b660:0
(p6) ld8 r32=[r18]
0xc00000000490b660:1
adds r19=-1,r23
0xc00000000490b660:2
add r8=r10,r14
0xc00000000490b670:0
(p7) ld8.a r16=[r32]
(gdb) x $r32
0x776f72643a200000: Error accessing memory address 0x776f72643a200000: Bad address.
(gdb) x/x $r18
0x6000000000286398: 0x600000000284b338
(gdb) x/16gx $r18 -32
0x6000000000286378: 0x0000000100000000 0x0000000000000120
0x6000000000286388: 0x776f72643a200000 0x0000000000000000
0x6000000000286398: 0x600000000284b338 0x0000000000000062
0x60000000002863a8: 0x0000000000000064 0x0000000100000000
0x60000000002863b8: 0x0000000000000130 0x6000000002f00018
0x60000000002863c8: 0x0000000000000002 0x6000000002f00278
0x60000000002863d8: 0x0000000000000062 0x0000000000000064
0x60000000002863e8: 0x0000000100000000 0x0000000000000140
(gdb) x/16gs $r18 -32
0x6000000000286378: ""
0x6000000000286379: ""
0x600000000028637a: ""
0x600000000028637b: "\001"
0x600000000028637d: ""
0x600000000028637e: ""
0x600000000028637f: ""
0x6000000000286380: ""
0x6000000000286381: ""
0x6000000000286382: ""
0x6000000000286383: ""
0x6000000000286384: ""
0x6000000000286385: ""
0x6000000000286386: "\001 word: "
0x600000000028638f: ""
0x6000000000286390: ""
It seems that the memory has been corrupted by a string
I believe that this is part of "Password: "
So I think that the memory has been corrupted by the function pam_authenticate that pass the structure
struct pam_message **msg
to my conversation function
and the value of
msg[0]->msg is "Password: "
Do you agree with my analysis?
- Tags:
- heap corruption
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 04:02 AM
тАО11-27-2007 04:02 AM
Re: core dump using pam authentication
Wow! Someone that knows how to debug!
>It seems that the memory has been corrupted by a string
Exactly.
>So I think that the memory has been corrupted by the function pam_authenticate that pass the structure struct pam_message **msg to my convert function
Possibly. But your calloc for resp looks ok, provided num_msg isn't 0.
>and the value of msg[0]->msg is "Password: "
I don't see you using msg? Were you suppose to set it?
>Do you agree with my analysis?
Partly. You should put a hardware watchpoint on 0x6000000000286388 to see who is modifying it:
(gdb) watch *(void**)0x6000000000286388
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 04:58 AM
тАО11-27-2007 04:58 AM
Re: core dump using pam authentication
I have tried this but unfortunately the corruption happens after some time. I spend an half an hour pressing enter then the debugger get in stuck.
There is a way to set the watchpoint and tell the debugger to ignore malloc and free for that address?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 09:18 AM
тАО11-27-2007 09:18 AM
Re: core dump using pam authentication
Then you may have problems. Especially if java allocates a different address. Is the corruption address the same in two runs?
>There is a way to set the watchpoint and tell the debugger to ignore malloc and free for that address?
You could add a condition to the watch point to only stop if the value 0x776f72643a200000 is stored:
cond watch-number (*(void**)0x6000000000286388 == 0x776f72643a200000)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-29-2007 01:11 AM
тАО11-29-2007 01:11 AM
Re: core dump using pam authentication
the address seems to be the same.
There is a way to run the check outside the debugger?