Bug 969878

Summary: segfault in virSecuritySELinuxMCSGetProcessRange
Product: [Community] Virtualization Tools Reporter: James Gilliland <neclimdul>
Component: libvirtAssignee: Ján Tomko <jtomko>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: berrange, dallan, dyasny, neclimdul
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-11 11:31:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
simple fix none

Description James Gilliland 2013-06-02 21:24:56 UTC 
Description of problem:
virSecuritySELinuxMCSGetProcessRange is throwing a segfault on the strdup in the following code:

    if (!(*sens = strdup(context_range_get(ourContext)))) {
        virReportOOMError();
        goto cleanup;
    }

The code above it tests to make sure ourContext is valid but it seems its still possible that context_range_get can still return null.

Version-Release number of selected component (if applicable):
1.0.5.1

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:
segfault

Expected results:
graceful failure or start up of vm.

Additional info:
I'm a bit of a selinux newb so I'm not sure how to setup things to fail but this seems like it might be related to a lack of configuration in Gentoo's build. Related bug attached

Naive patch based on IRC discussion attached.
Comment 1 James Gilliland 2013-06-02 21:25:39 UTC 
Created attachment 756100 [details]
simple fix
Comment 2 Daniel Berrangé 2013-06-03 15:27:02 UTC 
Can you tell us what SELinux context libvirtd is running as when this occurrs. eg 

   ps -axuZ | grep libvirtd

Then we can add a test cases to validate correct handling of your scenario.
Comment 3 James Gilliland 2013-06-03 15:48:46 UTC 
So I changed a lot on the system since yesterday including my context type which seems to have been the problem. Currently the context is staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023

My guess is previously it was staff_u:sysadm_r:sysadm_t because the context type was set to strict.
Comment 4 Daniel Berrangé 2013-06-03 15:52:47 UTC 
Ok, having a context of 'staff_u:sysadm_r:sysadm_t' could certainly explain why we'd see a NULL range & hence the crash.
Comment 5 Ján Tomko 2013-06-10 15:04:20 UTC 
The fix from comment 1 has been rejected upstream:
https://www.redhat.com/archives/libvir-list/2013-June/msg00082.html
I've sent another patch adding 's0' if the range is empty:
https://www.redhat.com/archives/libvir-list/2013-June/msg00438.html
Comment 6 Ján Tomko 2013-06-11 11:31:04 UTC 
This is now fixed upstream and will be a part of 1.0.7 release:

commit 0b466db29bea7555f91eaed5e5df2751980e2194
Author:     Ján Tomko <jtomko>
AuthorDate: 2013-06-10 14:37:40 +0200
Commit:     Ján Tomko <jtomko>
CommitDate: 2013-06-11 13:13:43 +0200

    selinux: assume 's0' if the range is empty
    
    This fixes a crash:
    https://bugzilla.redhat.com/show_bug.cgi?id=969878

git describe: v1.0.6-59-g0b466db