Bug 736259

Summary: matchpathcon makes install segfault
Product: [Fedora] Fedora Reporter: Jim Meyering <meyering>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, jan.kratochvil, mgrepl, rjones
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-07 16:35:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Meyering 2011-09-07 07:59:05 UTC 
Description of problem: trivial use of "install" causes segfault

Version-Release number of selected component (if applicable):

  libselinux-2.1.5-2.fc17.x86_64
  coreutils-8.12-7.fc17.x86_64
  kernel-3.1.0-0.rc4.git0.0.fc17.x86_64

How reproducible: every time

Steps to Reproduce:

  1. touch a; env -i /usr/bin/install a b

Actual results:

  zsh: segmentation fault  env -i /usr/bin/install a b

Expected results:

  success (no segfault)

Additional info:

[the "env -i " prefix is just to ensure that none of my MALLOC_DEBUG_
 or MALLOC_PERTURB_ settings (or any other envvar) is causing trouble. ]

gdb shows that it's officially a NULL-deref, but says there's a
"Corrupted DWARF expression", probably discovered in read_sleb128:

    $ env -i gdb -q --args /usr/bin/install a b
    Reading symbols from /usr/bin/install...Reading symbols from /usr/lib/debug/usr/bin/install.debug...done.
    done.
    (gdb) r
    Starting program: /usr/bin/install a b
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    1179      while (*__s == __sep)
    (gdb) p __s
    $1 = 0x0
    (gdb) bt
    #0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    #1  init (rec=0x626930, opts=0x7ffff7fe2718, n=<optimized out>)
        at label_file.c:440
    #2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe2718,
        nopts=5) at label.c:165
    #3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0,
        subset=0x0) at matchpathcon.c:321
    #4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffefbf "b", mode=33261,
        con=0x7fffffffeb98) at matchpathcon.c:406
    #5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffefbf "b")
        at install.c:345
    #6  change_attributes (name=0x7fffffffefbf "b") at install.c:471
    #7  install_file_in_file (from=<optimized out>, to=0x7fffffffefbf "b",
        x=<optimized out>) at install.c:672
    #8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
        at install.c:978
    (gdb)

So install is just the messenger, since it's calling libselinux's
matchpathcon function, in which all of this is happening.
Given the dwarf corruption, libselinux may be a messenger, too.
Comment 1 Richard W.M. Jones 2011-09-07 08:52:22 UTC 
I reproduced this as well on a Fedora Rawhide x86-64
virtual machine.

It did not happen with just glibc and coreutils* updated.

It started to happen once I also updated selinux packages.

$ rpm -qa | grep selinux
libselinux-devel-2.1.5-2.fc17.x86_64
libselinux-2.1.5-2.fc17.x86_64
selinux-policy-3.10.0-24.fc17.noarch
selinux-policy-targeted-3.10.0-24.fc17.noarch
libselinux-utils-2.1.5-2.fc17.x86_64
libselinux-python-2.1.5-2.fc17.x86_64

$ touch a; install a b
Segmentation fault
Comment 2 Richard W.M. Jones 2011-09-07 08:55:05 UTC 
Program received signal SIGSEGV, Segmentation fault.
__strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
1179	  while (*__s == __sep)
(gdb) bt
#0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
#1  init (rec=0x61e040, opts=0x7ffff7fe3718, n=<optimized out>)
    at label_file.c:440
#2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe3718, 
    nopts=5) at label.c:165
#3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0, 
    subset=0x0) at matchpathcon.c:321
#4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffe699 "b", mode=33261, 
    con=0x7fffffffe198) at matchpathcon.c:406
#5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffe699 "b")
    at install.c:345
#6  change_attributes (name=0x7fffffffe699 "b") at install.c:471
#7  install_file_in_file (from=<optimized out>, to=0x7fffffffe699 "b", 
    x=<optimized out>) at install.c:672
#8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
    at install.c:978
(gdb) print *__s
Cannot access memory at address 0x0
(gdb) print __sep
$1 = 59 ';'
Comment 3 Jan Kratochvil 2011-09-07 09:00:55 UTC 
(In reply to comment #0)
> read_sleb128: Corrupted DWARF expression.

This part is a GDB upstream bug in DW_OP_GNU_implicit_pointer implementation,
going to fix it (address size vs. DWARF offset size discrepancy).
Comment 4 Daniel Walsh 2011-09-07 16:35:34 UTC 
Fixed in libselinux-2.1.5-3.fc17