Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377203 - sshd segfaults in glibc when operating in kernel_t SELinux context
Summary: sshd segfaults in glibc when operating in kernel_t SELinux context
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-31 19:59 UTC by Richard
Modified: 2014-02-02 12:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sshd backtrace that Flameeyes saw (sshd_backtrace,3.85 KB, text/plain)
2011-07-31 19:59 UTC, Richard
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Richard 2011-07-31 19:59:13 UTC
Created attachment 281663 [details]
sshd backtrace that Flameeyes saw

I had some filesystem corruption in a KVM virtual machine. fsck.ext4 fixed the filesystem, but the SELinux file contexts were destroyed. This led to sshd starting in the kernel_t context and any attempt to ssh into the system caused a segfault on the remote system with a broken pipe on the local end.

sestatus -v output:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        strict

Process contexts:
Current context:                root:sysadm_r:sysadm_t
Init context:                   system_u:system_r:kernel_t
/sbin/agetty                    system_u:system_r:kernel_t
/usr/sbin/sshd                  system_u:system_r:kernel_t

File contexts:
Controlling term:               root:object_r:user_tty_device_t
/sbin/init                      system_u:object_r:file_t
/sbin/agetty                    system_u:object_r:file_t
/bin/login                      system_u:object_r:file_t
/sbin/rc                        system_u:object_r:file_t
/usr/sbin/sshd                  system_u:object_r:file_t
/sbin/unix_chkpwd               system_u:object_r:file_t
/etc/passwd                     system_u:object_r:file_t
/etc/shadow                     system_u:object_r:file_t
/bin/sh                         system_u:object_r:file_t -> system_u:object_r:file_t
/bin/bash                       system_u:object_r:file_t
/usr/bin/newrole                system_u:object_r:file_t
/lib/libc.so.6                  system_u:object_r:file_t -> system_u:object_r:file_t

Running "rlpkg -a -r" fixed this and restarting sshd stopped the segfaults, but prior to diagnosing this, Flameeyes said "what you have in front of you seems to be a double-free". Even though the issue is fixed, I thought it might be a good idea to file a bug report so the Gentoo SELinux developers could decide whether or not I uncovered some sort of issue.

$ emerge --info sshd
Portage 2.1.10.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.6, glibc-2.11.3-r0, 2.6.39.3 x86_64)                                                                                                                                                                           
=================================================================                                                                                                                                                                                                              
                        System Settings                                                                                                                                                                                                                                        
=================================================================                                                                                                                                                                                                              
System uname: Linux-2.6.39.3-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.0.3                                                                                                                                                                              
Timestamp of tree: Sat, 30 Jul 2011 22:45:01 +0000                                                                                                                                                                                                                             
ccache version 3.1.5 [enabled]                                                                                                                                                                                                                                                 
app-shells/bash:          4.2_p10                                                                                                                                                                                                                                              
dev-java/java-config:     2.1.11-r3                                                                                                                                                                                                                                            
dev-lang/python:          2.7.2-r2, 3.2-r2                                                                                                                                                                                                                                     
dev-util/ccache:          3.1.5                                                                                                                                                                                                                                                
dev-util/cmake:           2.8.5-r2                                                                                                                                                                                                                                             
dev-util/pkgconfig:       0.26                                                                                                                                                                                                                                                 
sys-apps/baselayout:      2.0.3                                                                                                                                                                                                                                                
sys-apps/openrc:          0.8.3-r1                                                                                                                                                                                                                                             
sys-apps/sandbox:         2.5                                                                                                                                                                                                                                                  
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1
sys-devel/gcc:            4.4.6
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.38 (virtual/os-headers)
sys-libs/glibc:           2.11.3
Repositories: gentoo local_overlay sunrise vmware bitcoin
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.0/conf /usr/share/openvpn/easy-rsa /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs buildpkg ccache distlocks ebuild-locks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS="-march=core2 -mtune=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -O2 -pipe"
GENTOO_MIRRORS="http://mirror.lug.udel.edu/pub/gentoo/ http://gentoo.osuosl.org/ ftp://mirrors.rit.edu/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common"
LINGUAS="en"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/sunrise /var/lib/layman/vmware /var/lib/layman/bitcoin"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 bash-completion berkdb branding bzip2 cairo cdda cdr cjk cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam ffmpeg fftw firefox flac fontconfig fortran gdbm gdu gif gnutls gpm iconv ipv6 java jpeg kde kipi lcms ldap libnotify lzma mad mmap mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pango pcre pdf perl phonon plasma png policykit ppds pppd python qt3support qt4 readline sdl session spell sse sse2 ssl ssse3 startup-notification svg sysfs tcpd theora tiff truetype udev unicode usb vdpau vorbis x264 xcb xcomposite xinerama xml xorg xscreensaver xulrunner xv xvid xvmc zlib zsh-completion" ALSA_CARDS="hda-intel hpet snd-ctxfi" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Agostino Sarubbo gentoo-dev 2011-08-02 13:00:47 UTC
@selinux

If is not your bug feel free to assign @base-s
Comment 2 Sven Vermeulen 2011-08-09 20:44:48 UTC
It's "our" bug alright... something with the selinux-specific code where the error handling isn't done correctly (in this case, SSHd runs in an incorrect security context where it wants to do a transition for the user, which fails but isn't handled properly).

I consider this to be a lower priority though (ping me if you disagree) but one that needs to be fixed anyway...
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-11 16:13:40 UTC
Well, I can't immediately reproduce (sometimes it's hard to fubar a system when you have to ;-) but I *believe* the following occurred...

In ssh_selinux_getctxbyname(), the (local) variable sc is not updated with a correct context (by get_default_context()) since the call fails. Later, the value of sc is returned, but does not contain a proper security_context_t.

The later call to freecon() (in ssh_selinux_setup_exec_context) probably tries to interpret this as a valid security_context_t but fails. 

Since get_default_context() can return -1 both when the context is not touched or when it is (but NULL) I *think* this can be fixed in OpenSSH's port-linux.c by having

 99       if (r != -1)
100         return (sc);
101       else
102         return NULL;
103 }

instead of

 99 
100         return (sc);
101 }

Since sc is a local variable (which isn't touched, or set to NULL) it does not need to be freed. Unless r != -1, in which case it is adjusted - but then that's the regular modus operandi.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-13 20:55:45 UTC
Bug opened upstream (openssh), let's see if they agree with it.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-26 10:12:36 UTC
Patch accepted upstream, will be part of v6.0 release
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-27 10:19:33 UTC
openssh-6.0_p1 is now in main tree (~arch'ed)
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2014-02-02 12:59:22 UTC
OpenSSH 6.0+ is stable now