Bug 231522 - [LSPP] cupsd crash
[LSPP] cupsd crash
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cups (Show other bugs)
5.0
ppc64 Linux
medium Severity urgent
: ---
: ---
Assigned To: Tim Waugh
David Lawrence
:
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-03-08 15:27 EST by Klaus Heinrich Kiwi
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHSA-2007-1020
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-31 09:48:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 2288 None None None Never

  None (edit)
Description Klaus Heinrich Kiwi 2007-03-08 15:27:40 EST
Description of problem:
By example:
If a printer instance 'NuclearLauchOrders_printer' is created with the 'Secret'
classification, no-one below this clearance should be able to see it or check
it's name/device

Curently, this is possible. A user in the SystemLow-<something> clearance can
see printers with 'Secret' or higher classification.



Version-Release number of selected component (if applicable):
cups-1.2.4-11.5.el5

How reproducible:
always

Steps to Reproduce:
1. chcon -l SystemHigh /dev/lp0
2. lpadmin -p SystemHighPrinter -E -v /dev/lp0 -m postscript.ppd.gz
3. log in as user_r/SystemLow-<something>
4. lpstat -t
  
Actual results:
user can check printers name

Expected results:
User can't see printer instance name, device, if it's enabled or not etc

Additional info:
Comment 1 Klaus Heinrich Kiwi 2007-03-08 15:43:21 EST
Another interesting (yet frightening) bit:

I have a SystemHigh Printer installed as 'TestPrinter'.

As a SysLow-SysHigh user, I try to print a file which cups naturally denies:
-bash-3.1$ lpr -P FilePrinter Audit_ok.ps
lpr: SELinux prohibits access to the printer

After that, I try to query the printer with lpq:
-bash-3.1$ lpq FilePrinter
FilePrinter is ready


And this is what happens (this is cupsd running from whithin a gdb session):
(gdb) Starting program: /usr/sbin/cupsd -f
[Thread debugging using libthread_db enabled]
[New Thread 4160650000 (LWP 16442)]
cupsd_enqueue_:  denied  { write } for 
scontext=testuser_u:user_r:user_lpr_t:s0-s15:c0.c1023
tcontext=abat_u:object_r:printer_device_t:s15:c0.c1023 tclass=file

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 4160650000 (LWP 16442)]
0x079e6fc4 in strcasecmp () from /lib/libc.so.6
(gdb) #0  0x079e6fc4 in strcasecmp () from /lib/libc.so.6
#1  0x0802ab3c in ?? () from /usr/sbin/cupsd
#2  0x08032dec in ?? () from /usr/sbin/cupsd
#3  0x08016cc4 in ?? () from /usr/sbin/cupsd
#4  0x080237ac in ?? () from /usr/sbin/cupsd
#5  0x0797dc0c in generic_start_main () from /lib/libc.so.6
#6  0x0797de34 in __libc_start_main () from /lib/libc.so.6
#7  0x00000000 in ?? ()
(gdb)  

Is there separate debugging symbols packages somewhere?
Comment 2 Matt Anderson 2007-03-08 18:45:27 EST
There isn't anything secret about the printer name.

Printing to files isn't supported, but cupsd should never crash.  I see you
FileDevice printer is SystemHigh and your user is SystemLow-SystemHigh.  Do you
know what is going on when cups SIGSEGVs?  Can you supply the last dozen or so
lines of error_log with LogLevel set to debug2.
Comment 3 Tim Waugh 2007-03-09 04:16:33 EST
Klaus: please install the cups-debuginfo package corresponding to the same
version and release as the cups package (cups-debuginfo-1.2.4-11.5.el5).

Changing bug summary in response to comment #2.
Comment 4 Klaus Heinrich Kiwi 2007-03-09 08:57:21 EST
(In reply to comment #2)
> There isn't anything secret about the printer name.

According to Klaus W., "It's a violation of the MLS data flow rules", but it can
be addressed by stating in the EGC that no sensible information should be used
as printer names.

I don't like changing things this late in the game either


> Printing to files isn't supported, but cupsd should never crash.  I see you
> FileDevice printer is SystemHigh and your user is SystemLow-SystemHigh.  Do you
> know what is going on when cups SIGSEGVs?  Can you supply the last dozen or so
> lines of error_log with LogLevel set to debug2.

The odd thing about this is that:
 * it only occurs after a successful printing
 * it only occurs after I try to get info via 'lpq something'. No errors seen
when issuing 'lpq -P printer' (which is actually the correct syntax for querying
a specific printer:

-bash-3.1$ lpr -P FilePrinter Audit_ok.ps
lpr: SELinux prohibits access to the printer
-bash-3.1$ lpq -P FilePrinter
FilePrinter is ready
no entries
-bash-3.1$ lpq something
FilePrinter is ready
lpq: Unknown
-bash-3.1$



The log you requested:

I [09/Mar/2007:05:29:56 -0600] cupsdAcceptClient: peer's pid=17289, uid=504,
gid=504, auid=504
I [09/Mar/2007:05:29:56 -0600] cupsdAcceptClient: client
context=testuser_u:user_r:user_lpr_t:SystemLow-SystemHigh
D [09/Mar/2007:05:29:56 -0600] cupsdAcceptClient: 6 from localhost (Domain)
D [09/Mar/2007:05:29:56 -0600] cupsdReadClient: 6 POST / HTTP/1.1
D [09/Mar/2007:05:29:56 -0600] cupsdAuthorize: No authentication data provided.
D [09/Mar/2007:05:29:56 -0600] CUPS-Get-Printers
D [09/Mar/2007:05:29:56 -0600] cupsdProcessIPPRequest: 6 status_code=0
(successful-ok)
D [09/Mar/2007:05:29:56 -0600] cupsdReadClient: 6 POST / HTTP/1.1
D [09/Mar/2007:05:29:56 -0600] cupsdAuthorize: No authentication data provided.
D [09/Mar/2007:05:29:56 -0600] CUPS-Get-Classes
D [09/Mar/2007:05:29:56 -0600] cupsdProcessIPPRequest: 6 status_code=0
(successful-ok)
D [09/Mar/2007:05:29:56 -0600] cupsdReadClient: 6 POST / HTTP/1.1
D [09/Mar/2007:05:29:56 -0600] cupsdAuthorize: No authentication data provided.
D [09/Mar/2007:05:29:56 -0600] CUPS-Get-Default
D [09/Mar/2007:05:29:56 -0600] CUPS-Get-Default client-error-not-found: No
default printer
D [09/Mar/2007:05:29:56 -0600] cupsdProcessIPPRequest: 6 status_code=406
(client-error-not-found)
D [09/Mar/2007:05:29:56 -0600] cupsdReadClient: 6 POST / HTTP/1.1
D [09/Mar/2007:05:29:56 -0600] cupsdAuthorize: No authentication data provided.
D [09/Mar/2007:05:29:56 -0600] Get-Printer-Attributes
ipp://localhost/printers/FilePrinter
D [09/Mar/2007:05:29:56 -0600] cupsdProcessIPPRequest: 6 status_code=0
(successful-ok)
D [09/Mar/2007:05:29:56 -0600] cupsdReadClient: 6 POST / HTTP/1.1
D [09/Mar/2007:05:29:56 -0600] cupsdAuthorize: No authentication data provided.
D [09/Mar/2007:05:29:56 -0600] Get-Jobs ipp://localhost/printers/FilePrinter
D [09/Mar/2007:05:29:56 -0600] get_jobs: client context
testuser_u:user_r:user_lpr_t:SystemLow-SystemHigh
Comment 5 Klaus Heinrich Kiwi 2007-03-09 08:59:01 EST
(In reply to comment #3)
> Klaus: please install the cups-debuginfo package corresponding to the same
> version and release as the cups package (cups-debuginfo-1.2.4-11.5.el5).

Couldn't find this package anywhere...

> Changing bug summary in response to comment #2.
> 

Comment 6 Tim Waugh 2007-03-09 09:12:32 EST
(In reply to comment #5)
> Couldn't find this package anywhere...

What architecture are you using?  comment #1 seems to indicate that it is a
32-bit platform, so perhaps it is x86?
Comment 7 Klaus Heinrich Kiwi 2007-03-09 10:47:55 EST
(In reply to comment #6)
> (In reply to comment #5)
> > Couldn't find this package anywhere...
> 
> What architecture are you using?  comment #1 seems to indicate that it is a
> 32-bit platform, so perhaps it is x86?

This specific box is a ppc64 LPAR, but I can set-up a x86_64 in 20mins if needed.
Comment 8 Tim Waugh 2007-03-09 11:06:58 EST
Klaus, here is the ppc64 package:

http://cyberelk.net/tim/tmp/cups-debuginfo-1.2.4-11.5.el5.ppc64.rpm
Comment 9 George C. Wilson 2007-03-12 16:36:06 EDT
Klaus, please run with the referenced package and post results.
Comment 10 Klaus Heinrich Kiwi 2007-03-12 17:48:55 EDT
Sorry about my lack of gdb knowledge, but can anyone point me to how to use the
debuginfo packages?

I was trying something like this: 
run_init gdb -d /usr/src/debug/cups-1.2.4
--symbols=/usr/lib/debug/usr/sbin/cupsd.debug cupsd
Comment 11 Matt Anderson 2007-03-12 17:56:39 EDT
I'm not sure if this is possible in enforcing mode, but what I would try is to
run_init /etc/init.d/cups restart
then use `ps ax | grep [c]upsd` to get the pid, then you can start gdb like
above and use "attach <pid>" to attach it to the running cupsd.

Once you've done that repeat your test and gdb should give you some backtrace
information about what went wrong where.
Comment 12 Tim Waugh 2007-03-13 05:21:48 EDT
Just start gdb like:

  gdb /usr/sbin/cupsd <pid>

where $pid is the PID from 'ps ax'.  It automatically finds the debuginfo stuff;
nothing you have to do.
Comment 13 Klaus Heinrich Kiwi 2007-03-13 08:21:07 EDT
[root/abat_r/SystemLow@zaphod ~]# gdb /usr/sbin/cupsd
GNU gdb Red Hat Linux (6.5-16.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "ppc64-redhat-linux-gnu"...
warning: the debug information found in "/usr/lib/debug//usr/sbin/cupsd.debug"
does not match "/usr/sbin/cupsd" (CRC mismatch).

(no debugging symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) attach 27924
Attaching to program: /usr/sbin/cupsd, process 27924
warning: process 27924 is a cloned process
../../gdb/linux-nat.c:1069: internal-error: linux_nat_attach: Assertion `pid ==
GET_PID (inferior_ptid) && WIFSTOPPED (status)' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) n

../../gdb/linux-nat.c:1069: internal-error: linux_nat_attach: Assertion `pid ==
GET_PID (inferior_ptid) && WIFSTOPPED (status)' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n) y
(gdb) 
Comment 14 Klaus Heinrich Kiwi 2007-03-13 08:26:11 EDT
Using another method, I could check that the error is in fact with a strcasecmp:

(gdb) Continuing.
cupsd_enqueue_:  denied  { write } for 
scontext=testuser_u:user_r:user_lpr_t:s0-s15:c0.c1023
tcontext=abat_u:object_r:printer_device_t:s15:c0.c1023 tclass=file

Program received signal SIGSEGV, Segmentation fault.
0x079e6fc4 in *__GI___strcasecmp (s1=0xfc4803ec "FilePrinter", s2=0x0) at
strcasecmp.c:65
65      strcasecmp.c: No such file or directory.
        in strcasecmp.c
(gdb) #0  0x079e6fc4 in *__GI___strcasecmp (s1=0xfc4803ec "FilePrinter", s2=0x0)
at strcasecmp.c:65
#1  0x0802ab3c in ?? () from /usr/sbin/cupsd
#2  0x08032dec in ?? () from /usr/sbin/cupsd
#3  0x08016cc4 in ?? () from /usr/sbin/cupsd
#4  0x080237ac in ?? () from /usr/sbin/cupsd
#5  0x0797dc0c in generic_start_main (main=0x8023030, argc=2, ubp_av=0xfc48fb54,
auxvec=0xfc48fbb8, init=<value optimized out>,
    fini=<value optimized out>, rtld_fini=<value optimized out>,
stack_end=<value optimized out>) at ../csu/libc-start.c:231
#6  0x0797de34 in __libc_start_main (argc=2, ubp_av=0xfc48fb54, ubp_ev=<value
optimized out>, auxvec=0xfc48fbb8,
    rtld_fini=0xf7fbeb40 <_dl_fini>, stinfo=0x8070538, stack_on_entry=0xfc48fb40)
    at ../sysdeps/unix/sysv/linux/powerpc/libc-start.c:127
#7  0x00000000 in ?? ()
Comment 15 Tim Waugh 2007-03-13 08:44:41 EDT
This:

warning: the debug information found in "/usr/lib/debug//usr/sbin/cupsd.debug"
does not match "/usr/sbin/cupsd" (CRC mismatch).

is preventing us from seeing a useful stack trace.

What does this say?:

rpm -q cups cups-debuginfo
Comment 16 Klaus Heinrich Kiwi 2007-03-13 09:03:20 EDT
[root/abat_r/SystemLow@zaphod misc_test]# rpm -q cups cups-debuginfo
cups-1.2.4-11.5.el5
cups-debuginfo-1.2.4-11.5.el5
[root/abat_r/SystemLow@zaphod misc_test]# file `which cupsd`
/usr/sbin/cupsd: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1
(SYSV), for GNU/Linux 2.6.9, stripped
[root/abat_r/SystemLow@zaphod misc_test]# file /usr/lib/debug/usr/sbin/cupsd.debug
/usr/lib/debug/usr/sbin/cupsd.debug: ELF 64-bit MSB shared object, cisco 7500,
version 1 (SYSV), not stripped
[root/abat_r/SystemLow@zaphod misc_test]#  

Comment 17 Tim Waugh 2007-03-13 09:15:44 EDT
Ah, I see. :-)

Please uninstall the cups-debuginfo package you have (rpm -e cups-debuginfo) and
install this one instead:

http://cyberelk.net/tim/tmp/cups-debuginfo-1.2.4-11.5.el5.ppc.rpm

Sorry for the mix-up.
Comment 18 Klaus Heinrich Kiwi 2007-03-13 10:07:17 EDT
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 4160650000 (LWP 27991)]
0x079e6fc4 in *__GI___strcasecmp (s1=0xf83903ec "FilePrinter", s2=0x0) at
strcasecmp.c:65
65      strcasecmp.c: No such file or directory.
        in strcasecmp.c
(gdb) #0  0x079e6fc4 in *__GI___strcasecmp (s1=0xf83903ec "FilePrinter", s2=0x0)
at strcasecmp.c:65
#1  0x0802ab3c in get_jobs (con=0x80b1e50, uri=<value optimized out>) at ipp.c:5862
#2  0x08032dec in cupsdProcessIPPRequest (con=0x80b1e50) at ipp.c:494
#3  0x28004484 in ?? ()
#4  0x08016cc4 in cupsdReadClient (con=0x80b1e50) at client.c:2020
#5  0x44004488 in ?? ()
#6  0x080237ac in main (argc=<value optimized out>, argv=<value optimized out>)
at main.c:938
#7  0x22000422 in ?? ()
#8  0x0797dc0c in generic_start_main (main=0x8023030 <main>, argc=2,
ubp_av=0xf839fb54, auxvec=0xf839fbb8,
    init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value
optimized out>, stack_end=<value optimized out>)
    at ../csu/libc-start.c:231
#9  0x0797de34 in __libc_start_main (argc=2, ubp_av=0xf839fb54, ubp_ev=<value
optimized out>, auxvec=0xf839fbb8,
    rtld_fini=0xf7fbeb40 <_dl_fini>, stinfo=0x8070538, stack_on_entry=0xf839fb40)
    at ../sysdeps/unix/sysv/linux/powerpc/libc-start.c:127
#10 0x00000000 in ?? ()
(gdb) #1  0x0802ab3c in get_jobs (con=0x80b1e50, uri=<value optimized out>) at
ipp.c:5862
5862    ipp.c: No such file or directory.
        in ipp.c
(gdb) $1 = (cupsd_client_t *) 0x80b1e50
(gdb) $2 = <value optimized out>
(gdb)  

--- "scheduler/ipp.c" line 5862 of 9717 ---
    if (username[0] && strcasecmp(username, job->username))
------------------

job->username = NULL here
Comment 19 Tim Waugh 2007-03-13 10:30:27 EDT
Okay, problem understood.  Thanks for your help in tracking it down.

Reported upstream as STR #2288 with patch.
Comment 24 Tim Waugh 2007-07-20 11:28:19 EDT
During testing a related problem has arisen.

mra@hp.com: what did you intend to occur in this code snippet if
context_range_get() returns NULL?:

            clirange = strdup(context_range_get(clicon));
            if ((cliclearance = strtok(clirange, "-")) != NULL)
            {
              if (context_range_set(tmpcon, cliclearance) == -1)
              {
                cupsdSendError(con, HTTP_SERVER_ERROR);
                free(clirange);
                context_free(tmpcon);
                context_free(clicon);
                return (cupsdCloseClient(con));
              }
            }
            else
            {
              if (context_range_set(tmpcon, (context_range_get(clicon))) == -1)
              {
                cupsdSendError(con, HTTP_SERVER_ERROR);
                free(clirange);
                context_free(tmpcon);
                context_free(clicon);
                return (cupsdCloseClient(con));
              }
            }
            free(clirange);

Should the context_set_range() call be skipped, or should we fail altogether?
Comment 25 Matt Anderson 2007-07-20 11:50:04 EDT
The point of this code is to remove the upper portion of a range, so that the
files created are all at the lower bound of the range.  If the range string is
blank then there is no need to strip off the upper bound and the call to
context_set_range() can safely be skipped.
Comment 30 errata-xmlrpc 2007-10-31 09:48:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-1020.html

Note You need to log in before you can comment on or make changes to this bug.