Bug 1382760

Summary: semodule_link segfaults on certain inputs
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 7.3CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1382490
: 1382769 (view as bug list) Environment:
Last Closed: 2017-06-29 13:42:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
bzip2 archive of input files causing a crash none

Description Milos Malik 2016-10-07 16:04:47 UTC 
Created attachment 1208185 [details]
bzip2 archive of input files causing a crash

Description of problem:
* found by American Fuzzy Lop

Version-Release number of selected component (if applicable):
libselinux-2.5-6.el7.x86_64
libselinux-debuginfo-2.5-6.el7.x86_64
libselinux-devel-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-ruby-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libsemanage-2.5-4.el7.x86_64
libsemanage-devel-2.5-4.el7.x86_64
libsemanage-python-2.5-4.el7.x86_64
libsemanage-static-2.5-4.el7.x86_64
libsepol-2.5-6.el7.x86_64
libsepol-debuginfo-2.5-6.el7.x86_64
libsepol-devel-2.5-6.el7.x86_64
libsepol-static-2.5-6.el7.x86_64
policycoreutils-2.5-9.el7.x86_64
policycoreutils-debuginfo-2.5-9.el7.x86_64
policycoreutils-devel-2.5-9.el7.x86_64
policycoreutils-gui-2.5-9.el7.x86_64
policycoreutils-newrole-2.5-9.el7.x86_64
policycoreutils-python-2.5-9.el7.x86_64
policycoreutils-sandbox-2.5-9.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-devel-3.13.1-102.el7.noarch
selinux-policy-doc-3.13.1-102.el7.noarch
selinux-policy-minimum-3.13.1-102.el7.noarch
selinux-policy-mls-3.13.1-102.el7.noarch
selinux-policy-sandbox-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch

How reproducible:
* always

Steps to Reproduce:
# tar jxf crashes.tar.bz2 
# ls -l semodule_link
total 3752
-rw-r--r--. 1 root root   64540 Oct  7 17:49 empty.pp
-rw-------. 1 root root 1888053 Oct  7 17:47 id000000
-rw-------. 1 root root 1888053 Oct  7 17:46 id000001
# semodule_link -o output semodule_link/id000001 semodule_link/empty.pp 
semodule_link:  loading package from file semodule_link/id000001
Segmentation fault
# dmesg | tail -n 1
[26281.682140] semodule_link[10834]: segfault at 0 ip 00007f0637b40544 sp 00007ffea7f02680 error 4 in libsepol.so.1[7f0637b2f000+95000]
# semodule_link -o output semodule_link/id000000 semodule_link/empty.pp
semodule_link:  loading package from file semodule_link/id000000
semodule_link:  loading package from file semodule_link/empty.pp
libsepol.ebitmap_set_bit: bitmap overflow, bit 0xffffffff
libsepol.copy_scope_index: Out of memory!
*** Error in `semodule_link': double free or corruption (out): 0x00007fd735663040 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c503)[0x7fd7334a7503]
/lib64/libsepol.so.1(+0xa63c)[0x7fd733a1d63c]
/lib64/libsepol.so.1(+0xa662)[0x7fd733a1d662]
/lib64/libsepol.so.1(+0xa6bf)[0x7fd733a1d6bf]
/lib64/libsepol.so.1(+0x7982)[0x7fd733a1a982]
/lib64/libsepol.so.1(+0x7b0f)[0x7fd733a1ab0f]
/lib64/libsepol.so.1(+0x7b4c)[0x7fd733a1ab4c]
/lib64/libsepol.so.1(+0x1e764)[0x7fd733a31764]
/lib64/libsepol.so.1(sepol_link_packages+0x68)[0x7fd733a34aa8]
semodule_link(+0xfee)[0x7fd733ecdfee]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fd73344cb35]
semodule_link(+0x1194)[0x7fd733ece194]
======= Memory map: ========
7fd72c000000-7fd72c021000 rw-p 00000000 00:00 0 
7fd72c021000-7fd730000000 ---p 00000000 00:00 0 
7fd732b94000-7fd732ba9000 r-xp 00000000 fd:02 37469376                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd732ba9000-7fd732da8000 ---p 00015000 fd:02 37469376                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd732da8000-7fd732da9000 r--p 00014000 fd:02 37469376                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd732da9000-7fd732daa000 rw-p 00015000 fd:02 37469376                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd732daa000-7fd732dc1000 r-xp 00000000 fd:02 34058634                   /usr/lib64/libpthread-2.17.so
7fd732dc1000-7fd732fc0000 ---p 00017000 fd:02 34058634                   /usr/lib64/libpthread-2.17.so
7fd732fc0000-7fd732fc1000 r--p 00016000 fd:02 34058634                   /usr/lib64/libpthread-2.17.so
7fd732fc1000-7fd732fc2000 rw-p 00017000 fd:02 34058634                   /usr/lib64/libpthread-2.17.so
7fd732fc2000-7fd732fc6000 rw-p 00000000 00:00 0 
7fd732fc6000-7fd732fc8000 r-xp 00000000 fd:02 33855089                   /usr/lib64/libdl-2.17.so
7fd732fc8000-7fd7331c8000 ---p 00002000 fd:02 33855089                   /usr/lib64/libdl-2.17.so
7fd7331c8000-7fd7331c9000 r--p 00002000 fd:02 33855089                   /usr/lib64/libdl-2.17.so
7fd7331c9000-7fd7331ca000 rw-p 00003000 fd:02 33855089                   /usr/lib64/libdl-2.17.so
7fd7331ca000-7fd73322a000 r-xp 00000000 fd:02 33871161                   /usr/lib64/libpcre.so.1.2.0
7fd73322a000-7fd733429000 ---p 00060000 fd:02 33871161                   /usr/lib64/libpcre.so.1.2.0
7fd733429000-7fd73342a000 r--p 0005f000 fd:02 33871161                   /usr/lib64/libpcre.so.1.2.0
7fd73342a000-7fd73342b000 rw-p 00060000 fd:02 33871161                   /usr/lib64/libpcre.so.1.2.0
7fd73342b000-7fd7335e1000 r-xp 00000000 fd:02 33722321                   /usr/lib64/libc-2.17.so
7fd7335e1000-7fd7337e1000 ---p 001b6000 fd:02 33722321                   /usr/lib64/libc-2.17.so
7fd7337e1000-7fd7337e5000 r--p 001b6000 fd:02 33722321                   /usr/lib64/libc-2.17.so
7fd7337e5000-7fd7337e7000 rw-p 001ba000 fd:02 33722321                   /usr/lib64/libc-2.17.so
7fd7337e7000-7fd7337ec000 rw-p 00000000 00:00 0 
7fd7337ec000-7fd733810000 r-xp 00000000 fd:02 33696881                   /usr/lib64/libselinux.so.1
7fd733810000-7fd733a0f000 ---p 00024000 fd:02 33696881                   /usr/lib64/libselinux.so.1
7fd733a0f000-7fd733a10000 r--p 00023000 fd:02 33696881                   /usr/lib64/libselinux.so.1
7fd733a10000-7fd733a11000 rw-p 00024000 fd:02 33696881                   /usr/lib64/libselinux.so.1
7fd733a11000-7fd733a13000 rw-p 00000000 00:00 0 
7fd733a13000-7fd733aa8000 r-xp 00000000 fd:02 34636291                   /usr/lib64/libsepol.so.1
7fd733aa8000-7fd733ca8000 ---p 00095000 fd:02 34636291                   /usr/lib64/libsepol.so.1
7fd733ca8000-7fd733ca9000 r--p 00095000 fd:02 34636291                   /usr/lib64/libsepol.so.1
7fd733ca9000-7fd733caa000 rw-p 00096000 fd:02 34636291                   /usr/lib64/libsepol.so.1
7fd733caa000-7fd733cab000 rw-p 00000000 00:00 0 
7fd733cab000-7fd733ccb000 r-xp 00000000 fd:02 33640401                   /usr/lib64/ld-2.17.so
7fd733e9c000-7fd733ea1000 rw-p 00000000 00:00 0 
7fd733ec7000-7fd733eca000 rw-p 00000000 00:00 0 
7fd733eca000-7fd733ecb000 r--p 0001f000 fd:02 33640401                   /usr/lib64/ld-2.17.so
7fd733ecb000-7fd733ecc000 rw-p 00020000 fd:02 33640401                   /usr/lib64/ld-2.17.so
7fd733ecc000-7fd733ecd000 rw-p 00000000 00:00 0 
7fd733ecd000-7fd733ecf000 r-xp 00000000 fd:02 16993335                   /usr/bin/semodule_link
7fd7340ce000-7fd7340cf000 r--p 00001000 fd:02 16993335                   /usr/bin/semodule_link
7fd7340cf000-7fd7340d0000 rw-p 00002000 fd:02 16993335                   /usr/bin/semodule_link
7fd735162000-7fd735669000 rw-p 00000000 00:00 0                          [heap]
7ffdc6ec9000-7ffdc6eea000 rw-p 00000000 00:00 0                          [stack]
7ffdc6f5a000-7ffdc6f5c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
# 

Actual results:
* segfaults

Expected results:
* some error message but no segfault