Bug 1070249
Summary: | Permission denied on audio devices when there is a tty device with a long name | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | James Pearson <james-p> | ||||
Component: | ConsoleKit | Assignee: | Michal Sekletar <msekleta> | ||||
Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.5 | CC: | fsumsal, psklenar | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | ConsoleKit-0.4.1-4.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-05-11 00:58:57 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
I overlooked your attachment and merged a bit different patch which bumps the length to 32. Then I checked Debian and found out that they ship the same patch as well, so I guess 32 should be fine. 32 will be fine in our case - although I guess it should really match whatever limit the kernel allows for tty device names 1) Reproducer ## Find some process running on tty* (it doesn't matter which one) # ps aux | grep tty ## Save its pid ## Run ck-collect-session-info in gdb and replace device buffer with specially crafted tty name # gdb --args /usr/libexec/ck-collect-session-info --uid 0 --pid 1473 (gdb) break ck-sysdeps-linux.c:122 (gdb) run (gdb) set var buf=" /dev/ttywithaverylongname0 " (gdb) cont 2) Output a) Old package <...> (gdb) set var buf=" /dev/ttywithaverylongname0 " (gdb) p buf $1 = " /dev/ttywithaverylongname0 ", '\000' <repeats 9971 times> (gdb) cont Continuing. *** buffer overflow detected ***: /usr/libexec/ck-collect-session-info terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff74f66d7] <...> Program received signal SIGABRT, Aborted. 0x00007ffff74265e5 in raise () from /lib64/libc.so.6 b) New package <...> (gdb) set var buf=" /dev/ttywithaverylongname0 " (gdb) p buf $1 = " /dev/ttywithaverylongname0 ", '\000' <repeats 9971 times> (gdb) cont Continuing. unix-user = 0 display-device = /dev/tty1 login-session-id = 4294967295 Program exited normally. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0942.html |
Created attachment 868025 [details] Simple patch to increase tty device name buffer length Description of problem: ConsoleKit fails to add the username to /dev/snd/* ACLs on login when there is a tty device with a name longer than 16 characters - hence any audio tool used by the user when logged in on the console give errors like: ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection refused The long tty device name (in this case) is created when a third party kernel module is loaded Version-Release number of selected component (if applicable): ConsoleKit-0.4.1-3.el6 How reproducible: Always Steps to Reproduce: 1. load third party kernel module that creates a tty device with a name longer than 16 characters 2. login on the console 3. try to use anything that uses audio Actual results: Username of console user not added to the ACLs for sound device files /dev/snd/* Unable to use use audio Expected results: Username of console user added to the ACLs for sound device files /dev/snd/* Able to use use audio Additional info: The utility 'ck-collect-session-info' crashes with a 'buffer overflow detected' error - so console-kit is unable to set the ACLs on the sound devices The 'name' char array in struct tty_map_node defined in ck-sysdeps-linux.c is only 16 characters - so tty device names longer than this overflow this buffer A simple fix is to increase the size of this buffer - a better fix would be to dynamically allocate a buffer of the correct length at runtime