Bug#379810: saslauthd memory leak
Roberto C. Sánchez
roberto at connexer.com
Tue Apr 24 20:07:33 EDT 2007
Might this addition to a Debian bug report about saslauthd leaking
memory be helpful?
Regards,
-Roberto
On Tue, Mar 20, 2007 at 04:52:26PM +0100, Gabor Gombas wrote:
> Hi,
> =
> I got annoyed by saslauthd consuming more than 2Gig of RAM so I started
> looking into this issue. My findings:
> =
> - The leak does NOT happen on successful authentication. I sent 500000
> valid auth. requests to saslauthd and its memory usage did not
> increase.
> =
> - I sent just a couple of invalid authentication requests and
> saslauthd's memory usage started to climb. So this is a trivially
> exploitable remote DoS (send a large amount of bad passwords to any
> sasl-using service and wait until the OOM killer kicks in and renders
> your box useless).
> =
> - The leak is NOT related to libpam-mysql, it happens with the plain
> pam_unix module as well.
> =
> - When using just pam_unix, valgrind gives the following trace segment:
> =
> =3D=3D17824=3D=3D 68 bytes in 17 blocks are definitely lost in loss recor=
d 7 of 7
> =3D=3D17824=3D=3D at 0x40064B0: malloc (vg_replace_malloc.c:149)
> =3D=3D17824=3D=3D by 0x425AAF12: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x425AC5B4: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x425B6450: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x425B2401: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x425B5E9D: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x42709C2C: (within /lib/i686/cmov/libdl-2.5.so)
> =3D=3D17824=3D=3D by 0x425B2401: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D by 0x4270A2AB: (within /lib/i686/cmov/libdl-2.5.so)
> =3D=3D17824=3D=3D by 0x42709B60: dlopen (in /lib/i686/cmov/libdl-2.5.s=
o)
> =3D=3D17824=3D=3D by 0x4352838F: (within /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D by 0x4352852B: (within /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D by 0x435292F3: _pam_init_handlers (in /lib/libpam.so=
.0.79)
> =3D=3D17824=3D=3D by 0x4352726E: pam_start (in /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D by 0x804B1F4: auth_pam (auth_pam.c:207)
> =
> The number of lost blocks equals to the invalid authentication requests
> I sent to saslauthd. This seems to suggest that something forgets to
> clean up when an authentication request fails.
> =
> The amount of leaked memory seems to be dependent on the PAM module
> being used. pam_unix seems to be the 'nicest'; with libpam_mysql, I get
> about 60 KiB of memory lost for every failed authentication attempt,
> according to 'ps' output.
> =
> Gabor
> =
-- =
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/2=
0070424/089bf4d7/attachment.bin
More information about the Cyrus-sasl
mailing list