** Description changed: - Commit 1cd2821 altered the memory - management of krb5_gss_inquire_cred(), introducing defcred to act as + [ Impact ] + + Commit https://github.com/krb5/krb5/commit/1cd2821c19b2b95e39d5fc2f451a035585a40fa5 + altered the memory management of krb5_gss_inquire_cred(), introducing defcred to act as an owner pointer when the function must acquire a default credential. The commit neglected to update the code to release the default cred - along the successful path. The old code does not trigger because + along the successful path. The old code does not trigger because cred_handle is now reassigned, so the default credential is leaked. - The commit https://github.com/krb5/krb5/commit/098f874f3b50dd2c46c0a574677324b5f6f3a1a8 fixes the leak. - It's been part of newer krb5 releases (Jammy, and Noble have the releases with the fix). Bionic doesn't have the commit the introduced the memory leak. + Resulting gradual increase in memory usage (memory leak) and eventual + crash. - So this fix needs to be backported to Focal (only). + [ Test Plan ] + + Setup 3 VMs: + + 1. Windows Server act as Domain controller (AD) + 2. Windows machine AD Joined with Ostress installed. (Ostress is part of RML utilities https://learn.microsoft.com/en-us/troubleshoot/sql/tools/replay-markup-language-utility) + 3. SQL on Linux AD Joined ( configuration steps https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-ad-auth-adutil-tutorial?view=sql-server-ver16) + + On the Machine with OStress create a file (name it disconnect.ini) with + the following content under the same folder “C:\Program Files\Microsoft + Corporation\RMLUtils” where OStress is installed. + + disconnect.ini + ============== + + [Connection Options] + LoginTimeout=30 + QuotedIdentifier=Off + AutocommitMode=On + DisconnectPct=100.0 + MaxThreadErrors=0 + + [Query Options] + NoSQLBindCol=Off + NoResultDisplay=Off + PrepareExecute=Off + ExecuteAsync=Off + RollbackOnCancel=Off + QueryTimeout=0 + QueryDelay=0 + MaxRetries=0 + BatchDisconnectPct=0.0 + CancelPct=0.00 + CancelDelay=0 + CancelDelayMin=0 + CursorType= + CursorConcurrency= + RowFetchDelay=0 + + [Replay Options] + Sequencing Options=global sequence + ::Sequencing Options=global sequence, dtc replay + DTC Timeout= + DTC Machine=(local) + Playback Coordinator=(local) + StartSeqNum= + StopSeqNum= + TimeoutFactor=1.0 + + Run the following command to start the load using Ostress, change Server + name (-S) accordingly and the number of threads (-n) as needed. + + Start 4 different CMD consoles and use the following different commands for each CMD window: + 1. ostress.exe -E -S<ServerName/port> -Q"select * from sys.all_objects" -q -cdisconnect.ini -n40 -r9999999 -oc:\temp\log01 -T146 + 2. ostress.exe -E -S<ServerName/port> -Q"select * from sys.all_views" -q -cdisconnect.ini -n40 -r9999999 -oc:\temp\log02 -T146 + 3. ostress.exe -E -S<ServerName/port> -Q"select * from sys.all_columns" -q -cdisconnect.ini -n40 -r9999999 -oc:\temp\log03 -T146 + 4. ostress.exe -E -S<ServerName/port> -Q"select * from sys.all_parameters" -q -cdisconnect.ini -n40 -r9999999 -oc:\temp\log04 -T146 + + After a run of about 5 hours, the memory usage for this is expected to be around 5G with the fix. + Without the fix, it was observed that it reached around ~22G in 5 hours. Hence the increase in + memory usage can be observed if the ostress.exe programs are let to run longer. + + [ Where problems could occur ] + + The fix may not fix the memory leak or could result in releasing the memory + early in a different code path, and thus resulting in crashes. + + A mitigating fact is that the fix has been in Ubuntu since at least 22.04 and + they do not exhibit any issues. + + Likewise I've previously provided the fix in a PPA https://launchpad.net/~pponnuvel/+archive/ubuntu/krb5-focal + to user who's been hit by this issue. They've tested and confirmed it fixes the memory leak. + + [ Other Info ] + + The commit + https://github.com/krb5/krb5/commit/098f874f3b50dd2c46c0a574677324b5f6f3a1a8 + fixes the leak. + + The fix has been included in newer krb5 releases (Jammy, and Noble have + the releases with the fix). + + Bionic doesn't have the commit the introduced the memory leak in the first place. + So this will be a Focal-only backport.
** Summary changed: - Memory leak in krb5 version 1.17 + [SRU] Memory leak in krb5 version 1.17 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060666 Title: [SRU] Memory leak in krb5 version 1.17 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2060666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
