Bug#379810: saslauthd memory leak

[Roberto C. Sánchez]

Might this addition to a Debian bug report about saslauthd leaking
memory be helpful?

Regards,

-Roberto

On Tue, Mar 20, 2007 at 04:52:26PM +0100, Gabor Gombas wrote:
> Hi,
> =

> I got annoyed by saslauthd consuming more than 2Gig of RAM so I started
> looking into this issue. My findings:
> =

> - The leak does NOT happen on successful authentication. I sent 500000
>   valid auth. requests to saslauthd and its memory usage did not
>   increase.
> =

> - I sent just a couple of invalid authentication requests and
>   saslauthd's memory usage started to climb. So this is a trivially
>   exploitable remote DoS (send a large amount of bad passwords to any
>   sasl-using service and wait until the OOM killer kicks in and renders
>   your box useless).
> =

> - The leak is NOT related to libpam-mysql, it happens with the plain
>   pam_unix module as well.
> =

> - When using just pam_unix, valgrind gives the following trace segment:
> =

> =3D=3D17824=3D=3D 68 bytes in 17 blocks are definitely lost in loss recor=
d 7 of 7
> =3D=3D17824=3D=3D    at 0x40064B0: malloc (vg_replace_malloc.c:149)
> =3D=3D17824=3D=3D    by 0x425AAF12: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x425AC5B4: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x425B6450: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x425B2401: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x425B5E9D: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x42709C2C: (within /lib/i686/cmov/libdl-2.5.so)
> =3D=3D17824=3D=3D    by 0x425B2401: (within /lib/ld-2.5.so)
> =3D=3D17824=3D=3D    by 0x4270A2AB: (within /lib/i686/cmov/libdl-2.5.so)
> =3D=3D17824=3D=3D    by 0x42709B60: dlopen (in /lib/i686/cmov/libdl-2.5.s=
o)
> =3D=3D17824=3D=3D    by 0x4352838F: (within /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D    by 0x4352852B: (within /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D    by 0x435292F3: _pam_init_handlers (in /lib/libpam.so=
.0.79)
> =3D=3D17824=3D=3D    by 0x4352726E: pam_start (in /lib/libpam.so.0.79)
> =3D=3D17824=3D=3D    by 0x804B1F4: auth_pam (auth_pam.c:207)
> =

> The number of lost blocks equals to the invalid authentication requests
> I sent to saslauthd. This seems to suggest that something forgets to
> clean up when an authentication request fails.
> =

> The amount of leaked memory seems to be dependent on the PAM module
> being used. pam_unix seems to be the 'nicest'; with libpam_mysql, I get
> about 60 KiB of memory lost for every failed authentication attempt,
> according to 'ps' output.
> =

> Gabor
> =


-- =

Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/2=
0070424/089bf4d7/attachment.bin