Created attachment 281663 [details] sshd backtrace that Flameeyes saw I had some filesystem corruption in a KVM virtual machine. fsck.ext4 fixed the filesystem, but the SELinux file contexts were destroyed. This led to sshd starting in the kernel_t context and any attempt to ssh into the system caused a segfault on the remote system with a broken pipe on the local end. sestatus -v output: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: strict Process contexts: Current context: root:sysadm_r:sysadm_t Init context: system_u:system_r:kernel_t /sbin/agetty system_u:system_r:kernel_t /usr/sbin/sshd system_u:system_r:kernel_t File contexts: Controlling term: root:object_r:user_tty_device_t /sbin/init system_u:object_r:file_t /sbin/agetty system_u:object_r:file_t /bin/login system_u:object_r:file_t /sbin/rc system_u:object_r:file_t /usr/sbin/sshd system_u:object_r:file_t /sbin/unix_chkpwd system_u:object_r:file_t /etc/passwd system_u:object_r:file_t /etc/shadow system_u:object_r:file_t /bin/sh system_u:object_r:file_t -> system_u:object_r:file_t /bin/bash system_u:object_r:file_t /usr/bin/newrole system_u:object_r:file_t /lib/libc.so.6 system_u:object_r:file_t -> system_u:object_r:file_t Running "rlpkg -a -r" fixed this and restarting sshd stopped the segfaults, but prior to diagnosing this, Flameeyes said "what you have in front of you seems to be a double-free". Even though the issue is fixed, I thought it might be a good idea to file a bug report so the Gentoo SELinux developers could decide whether or not I uncovered some sort of issue. $ emerge --info sshd Portage 2.1.10.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.6, glibc-2.11.3-r0, 2.6.39.3 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-2.6.39.3-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.0.3 Timestamp of tree: Sat, 30 Jul 2011 22:45:01 +0000 ccache version 3.1.5 [enabled] app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r2, 3.2-r2 dev-util/ccache: 3.1.5 dev-util/cmake: 2.8.5-r2 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.21.1 sys-devel/gcc: 4.4.6 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.11.3 Repositories: gentoo local_overlay sunrise vmware bitcoin ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.0/conf /usr/share/openvpn/easy-rsa /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs buildpkg ccache distlocks ebuild-locks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe" GENTOO_MIRRORS="http://mirror.lug.udel.edu/pub/gentoo/ http://gentoo.osuosl.org/ ftp://mirrors.rit.edu/gentoo/" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" LINGUAS="en" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/sunrise /var/lib/layman/vmware /var/lib/layman/bitcoin" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 bash-completion berkdb branding bzip2 cairo cdda cdr cjk cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam ffmpeg fftw firefox flac fontconfig fortran gdbm gdu gif gnutls gpm iconv ipv6 java jpeg kde kipi lcms ldap libnotify lzma mad mmap mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pango pcre pdf perl phonon plasma png policykit ppds pppd python qt3support qt4 readline sdl session spell sse sse2 ssl ssse3 startup-notification svg sysfs tcpd theora tiff truetype udev unicode usb vdpau vorbis x264 xcb xcomposite xinerama xml xorg xscreensaver xulrunner xv xvid xvmc zlib zsh-completion" ALSA_CARDS="hda-intel hpet snd-ctxfi" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
@selinux If is not your bug feel free to assign @base-s
It's "our" bug alright... something with the selinux-specific code where the error handling isn't done correctly (in this case, SSHd runs in an incorrect security context where it wants to do a transition for the user, which fails but isn't handled properly). I consider this to be a lower priority though (ping me if you disagree) but one that needs to be fixed anyway...
Well, I can't immediately reproduce (sometimes it's hard to fubar a system when you have to ;-) but I *believe* the following occurred... In ssh_selinux_getctxbyname(), the (local) variable sc is not updated with a correct context (by get_default_context()) since the call fails. Later, the value of sc is returned, but does not contain a proper security_context_t. The later call to freecon() (in ssh_selinux_setup_exec_context) probably tries to interpret this as a valid security_context_t but fails. Since get_default_context() can return -1 both when the context is not touched or when it is (but NULL) I *think* this can be fixed in OpenSSH's port-linux.c by having 99 if (r != -1) 100 return (sc); 101 else 102 return NULL; 103 } instead of 99 100 return (sc); 101 } Since sc is a local variable (which isn't touched, or set to NULL) it does not need to be freed. Unless r != -1, in which case it is adjusted - but then that's the regular modus operandi.
Bug opened upstream (openssh), let's see if they agree with it.
Patch accepted upstream, will be part of v6.0 release
openssh-6.0_p1 is now in main tree (~arch'ed)
OpenSSH 6.0+ is stable now