diff --git a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch new file mode 100644 index 0000000..fdc756a --- /dev/null +++ b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch @@ -0,0 +1,58 @@ +From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 3 Feb 2023 11:35:42 +0100 +Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common + read/write/check helpers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` +error condition is detected, regular `POLLIN/POLLOUT` won't be set. +Error code set by error condition should have a priority. This enables +users of this helper to retry attempt (as designed). + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) +--- + src/sss_client/common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 2c888faa9..27e09f6f3 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLOUT)) { ++ } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; + } + break; +@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + } + if (pfd.revents & (POLLERR | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLIN)) { ++ } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; + } + break; +@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & (POLLIN | POLLOUT))) { ++ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; + } + break; +-- +2.37.3 + diff --git a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch new file mode 100644 index 0000000..d7c875f --- /dev/null +++ b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch @@ -0,0 +1,63 @@ +From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 17:48:52 +0100 +Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is + alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise + there is a risk to close "foreign" socket opened in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) +--- + src/sss_client/common.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 27e09f6f3..c8ade645b 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; +@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + if (pfd.revents & (POLLHUP)) { + pollhup = true; + } +- if (pfd.revents & (POLLERR | POLLNVAL)) { ++ if (pfd.revents & POLLERR) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; +@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; +-- +2.37.3 + diff --git a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch new file mode 100644 index 0000000..dee9c9d --- /dev/null +++ b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch @@ -0,0 +1,53 @@ +From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 18:58:37 +0100 +Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with + mutex. Otherwise a thread calling pam_end() can close socket mid pam + transaction in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug only manifested on platforms where "lockfree client" +feature wasn't built. + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082) +--- + src/sss_client/pam_sss.c | 3 +++ + src/sss_client/pam_sss_gss.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index afbdef59a..39ad17188 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) + #endif /* PAM_DATA_REPLACE */ + + D(("Closing the fd")); ++ ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + } + + struct cert_auth_info { +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index 1109ec570..dd578ae5d 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, + } + + done: ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + free(username); + free(domain); + free(target); +-- +2.37.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index d91753f..c395105 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 2.8.2 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -28,6 +28,9 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio ### Patches ### Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch ### Downstream Patches ### @@ -1210,6 +1213,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 +- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" + * Mon Dec 19 2022 Alexey Tikhonov - 2.8.2-1 - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.