Thread leak by LdapLoginModule
Mkrtchyan, Tigran
tigran.mkrtchyan at desy.de
Tue Jun 9 21:15:19 UTC 2020
Hi all,
with Java-11 we have notice a thread leak with ldap module.
We use LDAP to authenticate users with username+pasword by
directly calling LdapLoginModule. This was ok with java 7 and
java 8. With java 11 we see threads getting accumulated. here is a
test case that demonstrates it:
```
private static final String USERNAME_KEY = "javax.security.auth.login.name";
private static final String PASSWORD_KEY = "javax.security.auth.login.password";
String ldapUrl = "ldap://....";
String peopleOU = "ou= ... o= ... c=...");
String user = ...;
String pass = ...;
@Test
public void threadLeakTest() throws AuthenticationException, NoSuchPrincipalException, LoginException {
Map<Thread, StackTraceElement[]> threadsBefore = Thread.getAllStackTraces();
Map<String, Object> globalLoginOptions = Map.of(
"userProvider", ldapUrl + "/" + peopleOU,
"useSSL", "false",
"userFilter", "(uid={USERNAME})",
"useFirstPass", "true"
);
for (int i = 0; i < 10; i++) {
Map<String, Object> loginOptions = Map.of(
USERNAME_KEY, user,
PASSWORD_KEY, pass.toCharArray());
Subject subject = new Subject();
LdapLoginModule loginModule = new LdapLoginModule();
loginModule.initialize(subject, null, loginOptions, globalLoginOptions);
loginModule.login();
loginModule.commit();
loginModule.logout();
}
Map<Thread, StackTraceElement[]> threadsAfter = Thread.getAllStackTraces();
assertEquals("Thread leak detected", threadsBefore.size() + 1, threadsAfter.size());
}
```
The thread count difference is always equals to the number of iterations in the loop, e.g. on each call a
thread is created and stays around. Eventually our server crashes with:
[19497.011s][warning][os,thread] Attempt to protect stack guard pages failed (0x00007fcc4c65c000-0x00007fcc4c660000).
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007fcc4c55b000, 16384, 0) failed; error='Not enough space' (errno=12)
The issue is not observed with java-14, thus I assume that the fix is related to commit
http://hg.openjdk.java.net/jdk/jdk/rev/6717d7e59db4
As java-11 is LTS, what is the procedure to get it fix back-ported?
Regards,
Tigran.
More information about the security-dev
mailing list