RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1241938 - systemd segfaults when selinux is disabled
Summary: systemd segfaults when selinux is disabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
: 1242053 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-10 13:08 UTC by Darius Clark
Modified: 2015-11-19 15:07 UTC (History)
8 users (show)

Fixed In Version: systemd-219-6.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 15:07:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Core dump (1.49 MB, application/x-core)
2015-07-10 14:19 UTC, Darius Clark 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2092 0 normal SHIPPED_LIVE systemd bug fix and enhancement update 2015-11-19 12:13:57 UTC

Description Darius Clark 2015-07-10 13:08:00 UTC 
Description of problem: 
Upon updating or installing systemd 219 it would segfault

Version-Release number of selected component (if applicable): systemd-219-5.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Update or install systemd 

Actual results:

Message from syslogd@sftlyern-001 at Jul 10 06:36:47 ...
 kernel:systemd[1]: segfault at 0 ip 00007fcc8ad49260 sp 00007ffe6d9e84f0 error 4 in systemd[7fcc8ac94000+146000]

Broadcast message from systemd-journald@sftlyern-001 (Fri 2015-07-10 06:36:47 CDT):

systemd[1]: Caught <SEGV>, dumped core as pid 15221.


Broadcast message from systemd-journald@sftlyern-001 (Fri 2015-07-10 06:36:47 CDT):

systemd[1]: Freezing execution.


Message from syslogd@sftlyern-001 at Jul 10 06:36:47 ...
 systemd:Caught <SEGV>, dumped core as pid 15221.

Message from syslogd@sftlyern-001 at Jul 10 06:36:47 ...
 systemd:Freezing execution.
/var/tmp/rpm-tmp.mv61fh: line 3: 15202 Segmentation fault      systemctl daemon-reexec > /dev/null 2>&1


Additional info:

After installation is complete, systemd would fail to do anything for services (eg start/stop/enable/disable) and upon reboot would render the OS useless unless systemd is rolled back to its previous version.
Comment 2 Michal Sekletar 2015-07-10 14:14:38 UTC 
systemd by default saves core dump to / directory. Please have a look and upload the core file if you find any?
Comment 3 Darius Clark 2015-07-10 14:19:05 UTC 
Created attachment 1050704 [details]
Core dump
Comment 4 Richard W.M. Jones 2015-07-10 14:47:21 UTC 
The stack trace is:

(gdb) t a a bt

Thread 1 (LWP 15221):
#0  0x00007fcc893f58a7 in kill () from /lib64/libc.so.6
#1  0x00007fcc8ad0e6a3 in crash.2985 (sig=11) at src/core/main.c:168
#2  <signal handler called>
#3  0x00007fcc8ad49260 in bus_socket_make_message (
    bus=bus@entry=0x7fcc8c37c780, size=176)
    at src/libsystemd/sd-bus/bus-socket.c:900
#4  0x00007fcc8ad494d8 in bus_socket_read_message (
    bus=bus@entry=0x7fcc8c37c780) at src/libsystemd/sd-bus/bus-socket.c:1014
#5  0x00007fcc8ad4e423 in bus_read_message (bus=bus@entry=0x7fcc8c37c780, 
    hint_priority=hint_priority@entry=false, priority=0)
    at src/libsystemd/sd-bus/sd-bus.c:1624
#6  0x00007fcc8acf0bc2 in dispatch_rqueue (priority=0, m=<synthetic pointer>, 
    hint_priority=false, bus=0x7fcc8c37c780)
    at src/libsystemd/sd-bus/sd-bus.c:1661
#7  process_running (priority=0, ret=0x0, hint_priority=false, 
    bus=0x7fcc8c37c780) at src/libsystemd/sd-bus/sd-bus.c:2519
#8  bus_process_internal (bus=0x7fcc8c37c780, ret=0x0, priority=0, 
    hint_priority=false) at src/libsystemd/sd-bus/sd-bus.c:2714
#9  0x00007fcc8ad36e61 in sd_bus_process (ret=0x0, bus=<optimized out>)
    at src/libsystemd/sd-bus/sd-bus.c:2733
#10 io_callback.50558 (s=<optimized out>, fd=<optimized out>, 
    revents=<optimized out>, userdata=<optimized out>)
    at src/libsystemd/sd-bus/sd-bus.c:2992
#11 0x00007fcc8ad3da40 in source_dispatch (s=s@entry=0x7fcc8c2ffd30)
    at src/libsystemd/sd-event/sd-event.c:2115
#12 0x00007fcc8ad4099a in sd_event_dispatch (e=e@entry=0x7fcc8c2d5ad0)
    at src/libsystemd/sd-event/sd-event.c:2472
#13 0x00007fcc8ad56e1f in sd_event_run (timeout=18446744073709551615, 
    e=0x7fcc8c2d5ad0) at src/libsystemd/sd-event/sd-event.c:2501
#14 manager_loop (m=m@entry=0x7fcc8c2d54c0) at src/core/manager.c:2056
#15 0x00007fcc8acb8499 in main (argc=<optimized out>, argv=<optimized out>)
    at src/core/main.c:1756

There is no crashing dereference at bus-socket.c:900 (frame 3) that I
can see so far ...

Darius, if there are newer core dumps in / could you upload the newest
of those.
Comment 5 Michal Sekletar 2015-07-10 15:07:56 UTC 
I think we already pin-pointed the problem. We didn't see it in test runs because we test on machines where SELinux is enabled. AFAICT, this bug occurs only when SELinux is disabled. Darius can you verify that on the machine where you see bug there is SELinux disabled?
Comment 6 Richard W.M. Jones 2015-07-10 15:11:49 UTC 
OK I see it.  The crash happens in this function call:

900	        r = bus_message_from_malloc(bus,
901	                                    bus->rbuffer, size,
902	                                    bus->fds, bus->n_fds,
903	                                    !bus->bus_client && bus->ucred_valid ? &bus->ucred : NULL,
904	                                    !bus->bus_client && bus->label[0] ? bus->label : NULL,
905	                                    &t);

on line 904 when bus->label[0] is evaluated.  In gdb:

(gdb) print bus->label
$34 = 0x0
(gdb) print bus->label[0]
Cannot access memory at address 0x0

In upstream systemd, the bus->label field was changed from a
char[NAME_MAX] to a char * in this commit:

commit c4e6556c46cea1b7195cfb81c8cfab8342ebd852
Author: Zbigniew Jędrzejewski-Szmek <zbyszek.pl>
Date:   Sat Jun 6 21:24:45 2015 -0400

    sd-bus: store selinux context at connection time
    
    This appears to be the right time to do it for SOCK_STREAM
    unix sockets.
    
    Also: condition bus_get_owner_creds_dbus1 was reversed. Split
    it out to a separate variable for clarity and fix.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1224211
Comment 7 Richard W.M. Jones 2015-07-10 15:15:28 UTC 
I was chatting about this bug to Darius in IRC, and we believe that
SELinux was disabled when the crash happened.
Comment 10 Michal Sekletar 2015-07-10 15:30:20 UTC 
We backported following bugfix,

https://github.com/lnykryn/systemd-rhel/commit/61a6ce79defd59fee00cd2bc28d58f7c3e637ae2
Comment 13 Lukáš Nykrýn 2015-07-11 09:41:25 UTC 
*** Bug 1242053 has been marked as a duplicate of this bug. ***
Comment 14 Branislav Blaškovič 2015-09-02 11:44:46 UTC 
This was fixed with BZ#1230190, so qa_acking..
Comment 16 Frantisek Sumsal 2015-10-08 12:51:15 UTC 
Verified on RHEL-7.2:

# grep SELINUX /etc/selinux/config 
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

# Upgrade to systemd-219-18.el7
# yum upgrade ...
<Completed without errors/segfaults>


Old version for comparison:

# grep SELINUX /etc/selinux/config 
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

# Upgrade to systemd-219-5.el7
# yum upgrade ...
<truncated>
Message from syslogd@xxx at Oct  8 08:24:21 ...
 kernel:systemd[1]: segfault at 0 ip 00007f4477fec260 sp 00007fff8c98c6d0 error 4 in systemd[7f4477f37000
+146000]

Broadcast message from systemd-journald.com (Thu 2015-10-08 08:24:21 EDT):

systemd[1]: Caught <SEGV>, dumped core as pid 1173.


Broadcast message from systemd-journald.com (Thu 2015-10-08 08:24:21 EDT):

systemd[1]: Freezing execution.


Message from syslogd@xxx at Oct  8 08:24:21 ...
 systemd:Caught <SEGV>, dumped core as pid 1173.

Message from syslogd@xxx at Oct  8 08:24:21 ...
 systemd:Freezing execution.
/var/tmp/rpm-tmp.kdW7pk: line 3:  1152 Segmentation fault      systemctl daemon-reexec > /dev/null 2>&1
<truncated>
Comment 17 errata-xmlrpc 2015-11-19 15:07:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2092.html
Note You need to log in before you can comment on or make changes to this bug.