Bug 249038 - string_to_security_class segfaults
string_to_security_class segfaults
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-20 10:23 EDT by Harald Hoyer
Modified: 2008-01-21 10:44 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-21 10:44:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix bug in string_to_security_class (596 bytes, patch)
2007-07-23 10:18 EDT, Stephen Smalley
no flags Details | Diff

  None (edit)
Description Harald Hoyer 2007-07-20 10:23:34 EDT
$ rpm -qf /lib/libselinux.so.1 
libselinux-2.0.24-2.fc8

$ sudo su -
Segmentation fault

$ sudo strace -f su -
....
open("/selinux/class/passwd/perms/crontab", O_RDONLY) = 4
read(4, "5", 19)                        = 1
close(4)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

$ sudo gdb su
(gdb) run -
Starting program: /bin/su -
..
Program received signal SIGSEGV, Segmentation fault.
string_to_security_class (s=0x2aaaabca42c6 "passwd") at stringrep.c:264
264                     node->perms[value-1] = strdup(dentry->d_name);
(gdb) bt
#0  string_to_security_class (s=0x2aaaabca42c6 "passwd") at stringrep.c:264
#1  0x00002aaaabc99ba0 in *selinux_check_passwd_access_internal (requested=8) at
checkAccess.c:20
#2  0x00002aaaaba4c6ca in pam_sm_authenticate () from /lib64/security/pam_rootok.so
Comment 1 Daniel Walsh 2007-07-20 15:50:47 EDT
What is the context of the logged in user?

id -Z

I am not able to reproduce here.
Comment 2 Stephen Smalley 2007-07-20 16:32:13 EDT
kernel version?
Comment 3 Stephen Smalley 2007-07-23 09:38:48 EDT
and architecture.

Also, print value and *dentry.
Comment 4 Harald Hoyer 2007-07-23 09:57:17 EDT
$ id -Z
system_u:system_r:unconfined_t:s0

$ uname -a
Linux slash 2.6.23-0.35.rc0.git6.fc8 #1 SMP Thu Jul 19 17:21:21 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

Comment 5 Harald Hoyer 2007-07-23 09:57:34 EDT
Program received signal SIGSEGV, Segmentation fault.
string_to_security_class (s=0x2aaaafb122c6 "passwd") at stringrep.c:264
264                     node->perms[value-1] = strdup(dentry->d_name);
(gdb) list
259                             goto err4;
260
261                     if (sscanf(buf, "%u", (unsigned int *)&value) != 1)
262                             goto err4;
263
264                     node->perms[value-1] = strdup(dentry->d_name);
265                     if (node->perms[value-1] == NULL)
266                             goto err4;
267
268                     dentry = readdir(dir);
(gdb) info locals
value = 140733193388037
m = {st_dev = 14, st_ino = 67109859, st_nlink = 1, st_mode = 33060, st_uid = 0,
st_gid = 0, pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 4096, st_blocks =
0, st_atim = {
    tv_sec = 1185205760, tv_nsec = 847574726}, st_mtim = {tv_sec = 1185205760,
tv_nsec = 847574726}, st_ctim = {tv_sec = 1185205760, tv_nsec = 847574726},
__unused = {0, 0, 0}}
node = (struct discover_class_node *) 0x6108a0
(gdb) up
#1  0x00002aaaafb07ba0 in *selinux_check_passwd_access_internal (requested=8) at
checkAccess.c:20
20                      passwd_class = string_to_security_class("passwd");
(gdb) list
15              if (getprevcon_raw(&user_context) == 0) {
16                      security_class_t passwd_class;
17                      struct av_decision avd;
18                      int retval;
19
20                      passwd_class = string_to_security_class("passwd");
21                      if (passwd_class == 0)
22                              return 0;
23
24                      retval = security_compute_av_raw(user_context,
(gdb) info locals
passwd_class = <value optimized out>
avd = {allowed = 0, decided = 0, auditallow = 0, auditdeny = 0, seqno = 1}
retval = <value optimized out>
status = <value optimized out>
user_context = <value optimized out>
Comment 6 Stephen Smalley 2007-07-23 10:18:13 EDT
Created attachment 159785 [details]
fix bug in string_to_security_class
Comment 7 Daniel Walsh 2007-07-23 10:23:59 EDT
Fixed in libselinux-2.0.24-3

Note You need to log in before you can comment on or make changes to this bug.