Operating System - Linux
1748224 Members
4557 Online
108759 Solutions
New Discussion юеВ

Re: core dump using pam authentication

 
Marco Salvi
Advisor

core dump using pam authentication

Hi,
I'm experiencing a core dump in a java application using JNI to call the pam module to authenticate a user.
Scanning the core I've noticed that the memory corruption is caused by the following string.

"word: "

I was able to find this word in the messages received by my conversation function. This word should be a substring of

"Password: "

I've tried to apply the latest patches available for pam but that does not fix the problem.

I read that pam call are not thread safe.
In my application there is a synchronize statement in the java code that contain the code for all the pam call, so it is not possible to have two pam calls executed at the same time in different threads.

Some chunck of code for giving you a better idea

java code
...

synchronized( PamUnixRegistryImpl.class )
{
if (pam_authenticate(s, s1) == 0) {
PasswordCheckFailedException passwordcheckfailedexception =
new PasswordCheckFailedException("Pam Authentication failed for user: " + s);
throw passwordcheckfailedexception;
}
}

...

JNI code

pam_authenticate simply call

PamUnixRegistryImpl_checkPassword (...

C code

....

extern int convert(int num_msg,struct pam_message **msg,struct
pam_response **resp,void *appdata_ptr)
{
// Initialize PAM response object and set password
struct pam_response *temp;
temp = (struct pam_response *)calloc(num_msg,sizeof(struct pam_response));
temp[0].resp_retcode = 0;
temp[0].resp = strdup((const char*)appdata_ptr);
*resp = temp;
return PAM_SUCCESS;
}
static struct pam_conv conv = {convert,NULL};

int PamUnixRegistryImpl_checkPassword (const char *username,const char *password)
{
pwd_buf_t buf;
const char *epass;
struct passwd *pwd;
long last_update, max_age, min_age;
time_t now;
int local_user;
pam_handle_t *pamh=NULL;
int retval;
struct pam_response *pp=NULL;
conv.appdata_ptr = password;
local_user = 0;


// initialize PAM
printf("pam_checkPassword\n");
fflush(stdout);

retval = pam_start("checkpassword", username, &conv, &pamh);


if (retval == PAM_SUCCESS)
{
retval = pam_authenticate(pamh, PAM_SILENT);
printf("pam_authenticate\n");
fflush(stdout);
if (retval != PAM_SUCCESS)
{
pam_end(pamh,retval);
pamh = NULL;
return 0;
}
// End PAM Session
if (pam_end(pamh,retval) != PAM_SUCCESS)
{
pamh = NULL;
return 0;
}
}
else
{
try a local authentication without PAM
}
return 1;
...
29 REPLIES 29
Steven E. Protter
Exalted Contributor

Re: core dump using pam authentication

Shalom,


If you want your code debugged, move to the next response because I don't understand your code.

I'd take some time to investigate your /etc/pam.d/ authentication. Make sure PAM is up to date and the system has a recent bi-annual patch.

I'd also make sure Java itself is updated to a recent, stable release.

Any of these factors can cause problems. I'd also be interested to know which pam authentication module your code intends to use to authenticate. Your system may need changes to /etc/nsswitch.conf to accommodate this.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Marco Salvi
Advisor

Re: core dump using pam authentication

My system has trusted mode enabled.

I think the pam configuration is ok because the system work for a while before crashing. Java patch and PAM patches are OK (at least I think).

I forgot to say that I'm running my code on hp 11.23 v2 on IA64. The code is 64 bit.
Marco Salvi
Advisor

Re: core dump using pam authentication

My system has trusted mode enabled.
Pam is actually use to authenticate OS user only.

I think the pam configuration is ok because the system work for a while before crashing. Java patch and PAM patches are OK (at least I think).

I forgot to say that I'm running my code on hp 11.23 v2 on IA64. The code is 64 bit.
Dennis Handly
Acclaimed Contributor

Re: core dump using pam authentication

>I'm experiencing a core dump in a java application using JNI to call the pam module to authenticate a user.

Do you have a stack trace that points to the line in your source above?

>Scanning the core I've noticed that the memory corruption is caused by the following string. "word: "
>I was able to find this word in the messages received by my conversation function.

What do you mean by scanning? You must debug the problem and print out variables.
Marco Salvi
Advisor

Re: core dump using pam authentication

#0 0xc00000000490b670:0 in real_malloc+0x670 () from /usr/lib/hpux64/libc.so.1
#1 0xc00000000490ae10:0 in _malloc+0x7d0 () from /usr/lib/hpux64/libc.so.1
#2 0xc000000004915fb0:0 in malloc+0x140 () from /usr/lib/hpux64/libc.so.1
#3 0x9fffffffbf0b1770:0 in nnfun2a+0x310 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#4 0x9fffffffbf0b0ec0:0 in nnfsn2a+0x80 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#5 0x9fffffffbf0820b0:0 in niqname+0x350 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#6 0x9fffffffbeeb9c40:0 in kwfnran+0x220 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#7 0x9fffffffbee549f0:0 in kwfcinit+0x210 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#8 0x9fffffffc0372440 in + 0xef0 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1
#9 0x9fffffffbec5ec40:0 in OCIServerAttach+0xe0 ()
from /home/oracle/ora10g/lib/libclntsh.so.10.1

this is the top of the stack trace

disassembling the part that fails I have noticed

0xc00000000490b660:0 :
(p6) ld8 r32=[r18]
0xc00000000490b660:1 :
adds r19=-1,r23
0xc00000000490b660:2 :
add r8=r10,r14
0xc00000000490b670:0 :
(p7) ld8.a r16=[r32]


(gdb) x $r32
0x776f72643a200000: Error accessing memory address 0x776f72643a200000: Bad address.

(gdb) x/x $r18
0x6000000000286398: 0x600000000284b338
(gdb) x/16gx $r18 -32
0x6000000000286378: 0x0000000100000000 0x0000000000000120
0x6000000000286388: 0x776f72643a200000 0x0000000000000000
0x6000000000286398: 0x600000000284b338 0x0000000000000062
0x60000000002863a8: 0x0000000000000064 0x0000000100000000
0x60000000002863b8: 0x0000000000000130 0x6000000002f00018
0x60000000002863c8: 0x0000000000000002 0x6000000002f00278
0x60000000002863d8: 0x0000000000000062 0x0000000000000064
0x60000000002863e8: 0x0000000100000000 0x0000000000000140
(gdb) x/16gs $r18 -32
0x6000000000286378: ""
0x6000000000286379: ""
0x600000000028637a: ""
0x600000000028637b: "\001"
0x600000000028637d: ""
0x600000000028637e: ""
0x600000000028637f: ""
0x6000000000286380: ""
0x6000000000286381: ""
0x6000000000286382: ""
0x6000000000286383: ""
0x6000000000286384: ""
0x6000000000286385: ""
0x6000000000286386: "\001 word: "
0x600000000028638f: ""
0x6000000000286390: ""

It seems that the memory has been corrupted by a string

I believe that this is part of "Password: "

So I think that the memory has been corrupted by the function pam_authenticate that pass the structure

struct pam_message **msg

to my conversation function

and the value of

msg[0]->msg is "Password: "

Do you agree with my analysis?
Dennis Handly
Acclaimed Contributor

Re: core dump using pam authentication

>#0 0xc00000000490b670:0 in real_malloc+0x670 libc.so.1

Wow! Someone that knows how to debug!

>It seems that the memory has been corrupted by a string

Exactly.

>So I think that the memory has been corrupted by the function pam_authenticate that pass the structure struct pam_message **msg to my convert function

Possibly. But your calloc for resp looks ok, provided num_msg isn't 0.

>and the value of msg[0]->msg is "Password: "

I don't see you using msg? Were you suppose to set it?

>Do you agree with my analysis?

Partly. You should put a hardware watchpoint on 0x6000000000286388 to see who is modifying it:
(gdb) watch *(void**)0x6000000000286388
Marco Salvi
Advisor

Re: core dump using pam authentication

Thanks for your suggestion.
I have tried this but unfortunately the corruption happens after some time. I spend an half an hour pressing enter then the debugger get in stuck.
There is a way to set the watchpoint and tell the debugger to ignore malloc and free for that address?
Dennis Handly
Acclaimed Contributor

Re: core dump using pam authentication

>I have tried this but unfortunately the corruption happens after some time. I spend an half an hour pressing enter then the debugger get in stuck.

Then you may have problems. Especially if java allocates a different address. Is the corruption address the same in two runs?

>There is a way to set the watchpoint and tell the debugger to ignore malloc and free for that address?

You could add a condition to the watch point to only stop if the value 0x776f72643a200000 is stored:
cond watch-number (*(void**)0x6000000000286388 == 0x776f72643a200000)
Marco Salvi
Advisor

Re: core dump using pam authentication

Hi Dennis,
the address seems to be the same.
There is a way to run the check outside the debugger?