Bug 1787686

Summary: [abrt] rng-tools: g_get_user_database_entry(): rngd killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Matt Fagnani <matt.fagnani>
Component: glib2Assignee: Matthias Clasen <mclasen>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, caillon+fedoraproject, chrisf826, gnome-sig, jaromir.capik, jgarzik, jjelen, john.j5live, lewk, mcatanzaro+wrong-account-do-not-cc, mclasen, nhorman, ozeszty+rhbz, rhughes, robatino, rstrode, sandmann, stealthcipher, tiagomatos
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/f3b8ab72c108a96a8808a06c7fb822d608833b34
Whiteboard: abrt_hash:f7134c6feee83b01ff40423ff45cff7946135ca0;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-03 14:38:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1705305    
Attachments:
Description Flags
File: backtrace
none
File: core_backtrace
none
File: cpuinfo
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
rngd segmentation fault core dump file lz4 compressed none

Description Matt Fagnani 2020-01-04 06:03:13 UTC 
Description of problem:
I ran sudo dnf upgrade --refresh in the rawhide KDE Plasma spin on 2020-1-3. The update included kernel-5.5.0-0.rc4.git1.1.fc32.x86_64, glibc-2.30.9000-28.fc32.x86_64, opensc-0.20.0-1.fc32.x86_64, and other rpms. Three denials of rngd searching /var/lib/sss happened on the next boot https://bugzilla.redhat.com/show_bug.cgi?id=1787661  followed by a denial of rngd reading /etc/passwd https://bugzilla.redhat.com/show_bug.cgi?id=1787663 rngd segmentation faulted right after that. I attached the journal showing the rngd denials and segmentation fault to #1787661. The trace of the rngd segmentation fault indicated errors in frames #17-25 while loading /usr/lib64/opensc-pkcs11.so which is provided by opensc-0.20.0-1.fc32.x86_64. 

(gdb) bt
#0  0x00007f1c44a46d23 in g_get_user_database_entry () at ../glib/gutils.c:692
#1  0x00007f1c44a46e97 in g_build_home_dir () at ../glib/gutils.c:828
#2  0x00007f1c44a47242 in g_build_user_cache_dir () at ../glib/gutils.c:1827
#3  0x00007f1c44a4844b in g_build_user_runtime_dir () at ../glib/gutils.c:1882
#4  g_get_user_runtime_dir () at ../glib/gutils.c:1927
#5  0x00007f1c44c4f13d in get_session_address_xdg () at ../gio/gdbusaddress.c:1334
#6  get_session_address_platform_specific (error=0x7ffeeec43048) at ../gio/gdbusaddress.c:1240
#7  g_dbus_address_get_for_bus_sync
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusaddress.c:1334
#8  0x00007f1c44c5b506 in get_uninitialized_connection
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7225
#9  0x00007f1c44c610ae in g_bus_get_sync
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7320
#10 0x00007f1c44c3365e in g_application_impl_register
    (application=application@entry=0x559e3055c090 [GApplication], appid=0x559e3055ce10 "org.opensc.notify", flags=G_APPLICATION_NON_UNIQUE, exported_actions=0x559e305568d0, remote_actions=remote_actions@entry=0x559e3055c038, cancellable=cancellable@entry=0x0, error=0x0) at ../gio/gapplicationimpl-dbus.c:601
#11 0x00007f1c44c3054c in g_application_register
    (error=0x0, cancellable=0x0, application=0x559e3055c090 [GApplication])
    at ../gio/gapplication.c:2187
#12 g_application_register (application=0x559e3055c090 [GApplication], cancellable=0x0, error=0x0)
    at ../gio/gapplication.c:2176
--Type <RET> for more, q to quit, c to continue without paging--c
#13 0x00007f1c44f5a6fd in module_init () at /usr/lib64/opensc-pkcs11.so
#14 0x00007f1c4805826a in call_init (l=<optimized out>, argc=argc@entry=2, argv=argv@entry=0x7ffeeec43ac8, env=env@entry=0x7ffeeec43ae0) at dl-init.c:72
#15 0x00007f1c48058371 in call_init (env=0x7ffeeec43ae0, argv=0x7ffeeec43ac8, argc=2, l=<optimized out>) at dl-init.c:30
#16 _dl_init (main_map=0x559e30544360, argc=2, argv=0x7ffeeec43ac8, env=0x7ffeeec43ae0) at dl-init.c:119
#17 0x00007f1c479233e5 in __GI__dl_catch_exception (exception=exception@entry=0x0, operate=operate@entry=0x7f1c4805b930 <call_dl_init>, args=args@entry=0x7ffeeec43470) at dl-error-skeleton.c:182
#18 0x00007f1c4805c440 in dl_open_worker (a=a@entry=0x7ffeeec43610) at dl-open.c:758
#19 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec435f0, operate=operate@entry=0x7f1c4805c010 <dl_open_worker>, args=args@entry=0x7ffeeec43610) at dl-error-skeleton.c:208
#20 0x00007f1c4805bc5e in _dl_open (file=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=-2147483647, caller_dlopen=0x7f1c47ed42c0 <C_LoadModule+80>, nsid=-2, argc=2, argv=<optimized out>, env=0x7ffeeec43ae0) at dl-open.c:837
#21 0x00007f1c477b939c in dlopen_doit (a=a@entry=0x7ffeeec43830) at dlopen.c:66
#22 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec437d0, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:208
#23 0x00007f1c47923453 in __GI__dl_catch_error (objname=objname@entry=0x559e30544340, errstring=errstring@entry=0x559e30544348, mallocedp=mallocedp@entry=0x559e30544338, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:227
#24 0x00007f1c477b9b09 in _dlerror_run (operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dlerror.c:170
#25 0x00007f1c477b942a in __dlopen (file=file@entry=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=mode@entry=1) at dlopen.c:87
#26 0x00007f1c47ed42c0 in C_LoadModule (mspec=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", funcs=funcs@entry=0x559e3052b0d0) at libpkcs11.c:67
#27 0x00007f1c47ed6f16 in pkcs11_CTX_load (ctx=0x559e305442b0, name=<optimized out>) at p11_load.c:77
#28 0x00007f1c47eda63c in PKCS11_CTX_load (ctx=<optimized out>, ident=<optimized out>) at p11_front.c:46
#29 0x0000559e2f336c38 in init_pkcs11_entropy_source (ent_src=0x559e2f33d860 <entropy_sources+576>) at rngd_pkcs11.c:106
#30 0x0000559e2f32e99c in main (argc=<optimized out>, argv=<optimized out>) at rngd.c:794

I downgraded to opensc-0.19.0-8.fc32.x86_64  from koji. No rngs denials or segmentation fault happened on the next boot with opensc-0.19.0-8.fc32.x86_64. A change in opensc-0.20.0-1.fc32.x86_64 might be related to the rngd denials and segmentation fault.
The rngd denials and segmentation faults happened on 7/7 boots with opensc-0.20.0-1.fc32.x86_64.

Version-Release number of selected component:
rng-tools-6.9-1.fc32

Additional info:
reporter:       libreport-2.11.3
backtrace_rating: 4
cgroup:         0::/system.slice/rngd.service
cmdline:        /sbin/rngd -f
crash_function: g_get_user_database_entry
executable:     /usr/sbin/rngd
journald_cursor: s=29bfca92eb7642a18f0e109100134cc2;i=21b157;b=7b6c863a18104dc58b4867fd37d813a0;m=6c7eaa1c;t=59b43a1c7c24d;x=8091bc20104e86f7
kernel:         5.5.0-0.rc4.git1.1.fc32.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 g_get_user_database_entry at ../glib/gutils.c:692
 #1 g_build_home_dir at ../glib/gutils.c:828
 #2 g_build_user_cache_dir at ../glib/gutils.c:1827
 #3 g_build_user_runtime_dir at ../glib/gutils.c:1882
 #4 g_get_user_runtime_dir at ../glib/gutils.c:1927
 #5 get_session_address_xdg at ../gio/gdbusaddress.c:1334
 #6 get_session_address_platform_specific at ../gio/gdbusaddress.c:1240
 #7 g_dbus_address_get_for_bus_sync at ../gio/gdbusaddress.c:1334
 #8 get_uninitialized_connection at ../gio/gdbusconnection.c:7225
 #9 g_bus_get_sync at ../gio/gdbusconnection.c:7320
Comment 1 Matt Fagnani 2020-01-04 06:03:15 UTC 
Created attachment 1649571 [details]
File: backtrace
Comment 2 Matt Fagnani 2020-01-04 06:03:17 UTC 
Created attachment 1649572 [details]
File: core_backtrace
Comment 3 Matt Fagnani 2020-01-04 06:03:17 UTC 
Created attachment 1649573 [details]
File: cpuinfo
Comment 4 Matt Fagnani 2020-01-04 06:03:18 UTC 
Created attachment 1649574 [details]
File: dso_list
Comment 5 Matt Fagnani 2020-01-04 06:03:19 UTC 
Created attachment 1649575 [details]
File: environ
Comment 6 Matt Fagnani 2020-01-04 06:03:20 UTC 
Created attachment 1649576 [details]
File: exploitable
Comment 7 Matt Fagnani 2020-01-04 06:03:21 UTC 
Created attachment 1649577 [details]
File: limits
Comment 8 Matt Fagnani 2020-01-04 06:03:22 UTC 
Created attachment 1649578 [details]
File: maps
Comment 9 Matt Fagnani 2020-01-04 06:03:23 UTC 
Created attachment 1649579 [details]
File: mountinfo
Comment 10 Matt Fagnani 2020-01-04 06:03:24 UTC 
Created attachment 1649580 [details]
File: open_fds
Comment 11 Matt Fagnani 2020-01-04 06:03:25 UTC 
Created attachment 1649581 [details]
File: proc_pid_status
Comment 12 Matt Fagnani 2020-01-04 06:03:26 UTC 
Created attachment 1649582 [details]
File: var_log_messages
Comment 13 Neil Horman 2020-01-04 14:56:49 UTC 
I think this is something of a duplicate error to the other two bugs you've filed regarding the selinux deinals.

To address the dlopen issue, that appears to be something of a red herring.  Starting at Frame 27, the rngd pcks11 entropy source attempts to init the pkcs11 library, which in frame 26 and 25 calls dlopen on /usr/lib64/opensc-pkcs11.so.  frames 24 and 23 encounter an error in that operation, which we can dig into if you like, but I think thats moot, because it appears to be non-fatal, noting that in frames 22-17 the operation is retried, ending at frame 15, in which the constructor for the opensc library is called (module_init), meaning that the dlopen operation succeded, found the library and initialized it (or started trying to).

The discrepancy appears to be that, opensc has had a major overhaul between version 19.06 and version 20 in rawhide.  Whereas previously opensc only use internal infrastructure to initalize, in version 20 it appears to have adopted use of the glib library to alot of its work, which does alot of extra things under the cover, including opening /var/lib/sss and /etc/passwd.  It would appear that those operations are denied by the rawhide selinux policy for the rngd application tag.  That shouldn't cause an crash in g_get_user_database_entry, but I'm guessing that glib has a bug in which g_get_user_database_entry's call to get_pwnamr (or one of its cousins), doesn't expect a certain return from the call, and attempts to deference memory that isn't there.

I think that the solution here is twofold:
1) The selinux policy should probably be updated to allow context system_u:system_r:rngd_t:s0 to access files of type sss_var_t and system_u:object_r:passwd_file_t so that the avc deinals are not produced (which will avoid the crash)

2) glib needs to be updated to be able to handle those AVC deinals, and whatever information they return from get_pwnam and friends

If you can upload the core file from rngd here, I can take a closer look and pass this over to the glib maintainer for further correction.

In the interim, I think you probably have three workarounds at your disposal:
a) you can downgrade the opensc library as you've done, to avoid the implicit use of glibc in that library, avoiding the issue.  Irritating, but possible

b) you can disable selinux, which will avoid the AVC denial, and prevent whatever error glib is encountering.  Less secure, but also possible

c) you can copy /usr/lib/systemd/system/rngd.service to /etc/systemd/system/rngd.service and edit the file in etc such that the ExecStart line to include this option:
-x pkcs11
doing so will disable the pkcs11 entropy source, and prevent the opensc module from getting loaded, in turn preventing the crash above.  This is likely your best interim solution, as it allows you to keep selinux active and your system more secure.  This also however, assumes that you don't have a pcks11 entropy source available, but most people dont (they're smart card readers that produce a small amount of entropy that can be collected).

Please upload the core file, and I can route this to the appropriate maintainer for rectification.
Comment 14 Matt Fagnani 2020-01-05 00:14:01 UTC 
Created attachment 1649821 [details]
rngd segmentation fault core dump file lz4 compressed

Neil, I'm attaching the rngd core dump file lz4 compressed from the segmentation fault I reported. I found the core dump file using coredumpctl info. I agree that the rngd denials are the reason for the segmentation faults. I have seen and reported about 12 additional rngd denials at https://bugzilla.redhat.com/show_bug.cgi?id=1787661#c3  rngd hasn't crashed since the first 5 of the 14 unique denials were allowed using a local policy module I described there. The rngd segmentation fault trace frames involving /usr/lib64/opensc-pkcs11.so allowed me to identify opensc-0.20.0-1.fc32.x86_64 as being involved in the denials and crashes at least. I can provide more information as needed. Thanks.
Comment 15 Neil Horman 2020-01-05 15:10:28 UTC 
*** Bug 1787766 has been marked as a duplicate of this bug. ***
Comment 16 Ryan 2020-01-05 22:31:55 UTC 
option c worked for me (disable pkcs11) as per #c13
Comment 17 ozeszty 2020-01-05 22:43:42 UTC 
Same issue on F31 with opensc-0.20.0-1.1.fc31, reverting the update helped with rngd's AVC denials and this segmentation fault.
Comment 18 Jakub Jelen 2020-01-06 08:10:02 UTC 
In the new update of OpenSC with rebase, I re-enabled the desktop notification support. It seems that either OpenSC or glib does not handle the restricted environments very well. I will try to investigate what is going on there and disable the notification support (at least in Fedora 31 for now).
Comment 19 Jakub Jelen 2020-01-06 09:50:29 UTC 
Checking the trace and the source code, this is really an issue of glib2 package in Fedora. The frame 2 points here in the source code:

https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gutils.c#L692

And this expression miss any null check when trying to access first element in the pw_name of the pw structure in the expression 

    pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]);

I will change this bug to glib2 and try to write some patch or at least issue there.
Comment 20 Jakub Jelen 2020-01-06 12:52:19 UTC 
Here is a fix for glib including reproducer for those interested in learning more:

https://gitlab.gnome.org/GNOME/glib/merge_requests/1309
Comment 21 Neil Horman 2020-01-07 11:36:51 UTC 
*** Bug 1788229 has been marked as a duplicate of this bug. ***
Comment 22 Adam Williamson 2020-01-07 15:51:59 UTC 
See https://bugzilla.redhat.com/show_bug.cgi?id=1788229 for blocker rationale - essentially, this prevents rngd starting up on boot, and we require default services to start successfully.
Comment 23 Adam Williamson 2020-01-10 16:50:03 UTC 
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1789902 for the selinux-policy part of this.
Comment 24 Neil Horman 2020-01-10 17:55:21 UTC 
*** Bug 1789157 has been marked as a duplicate of this bug. ***
Comment 25 Jakub Jelen 2020-01-13 08:07:32 UTC 
for the record, I reverted the OpenSC change and dependency on gio (as the notification support is still quite premature) so this should not happen anymore with rawhide. But it does not change that this bug in gio2 should be fixed. Not sure about the selinux ones though.
Comment 26 Michael Catanzaro 2020-02-03 14:38:57 UTC 
This fix should have reached rawhide already (GLib 2.63.4). Thanks Jakub!