Bug 249038 - string_to_security_class segfaults
Summary: string_to_security_class segfaults
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: libselinux
Version: rawhide
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-20 14:23 UTC by Harald Hoyer
Modified: 2008-01-21 15:44 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-21 15:44:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
fix bug in string_to_security_class (596 bytes, patch)
2007-07-23 14:18 UTC, Stephen Smalley 		no flags Details | Diff
View All

Description Harald Hoyer 2007-07-20 14:23:34 UTC 
$ rpm -qf /lib/libselinux.so.1 
libselinux-2.0.24-2.fc8

$ sudo su -
Segmentation fault

$ sudo strace -f su -
....
open("/selinux/class/passwd/perms/crontab", O_RDONLY) = 4
read(4, "5", 19)                        = 1
close(4)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

$ sudo gdb su
(gdb) run -
Starting program: /bin/su -
..
Program received signal SIGSEGV, Segmentation fault.
string_to_security_class (s=0x2aaaabca42c6 "passwd") at stringrep.c:264
264                     node->perms[value-1] = strdup(dentry->d_name);
(gdb) bt
#0  string_to_security_class (s=0x2aaaabca42c6 "passwd") at stringrep.c:264
#1  0x00002aaaabc99ba0 in *selinux_check_passwd_access_internal (requested=8) at
checkAccess.c:20
#2  0x00002aaaaba4c6ca in pam_sm_authenticate () from /lib64/security/pam_rootok.so
Comment 1 Daniel Walsh 2007-07-20 19:50:47 UTC 
What is the context of the logged in user?

id -Z

I am not able to reproduce here.
Comment 2 Stephen Smalley 2007-07-20 20:32:13 UTC 
kernel version?
Comment 3 Stephen Smalley 2007-07-23 13:38:48 UTC 
and architecture.

Also, print value and *dentry.
Comment 4 Harald Hoyer 2007-07-23 13:57:17 UTC 
$ id -Z
system_u:system_r:unconfined_t:s0

$ uname -a
Linux slash 2.6.23-0.35.rc0.git6.fc8 #1 SMP Thu Jul 19 17:21:21 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux
Comment 5 Harald Hoyer 2007-07-23 13:57:34 UTC 
Program received signal SIGSEGV, Segmentation fault.
string_to_security_class (s=0x2aaaafb122c6 "passwd") at stringrep.c:264
264                     node->perms[value-1] = strdup(dentry->d_name);
(gdb) list
259                             goto err4;
260
261                     if (sscanf(buf, "%u", (unsigned int *)&value) != 1)
262                             goto err4;
263
264                     node->perms[value-1] = strdup(dentry->d_name);
265                     if (node->perms[value-1] == NULL)
266                             goto err4;
267
268                     dentry = readdir(dir);
(gdb) info locals
value = 140733193388037
m = {st_dev = 14, st_ino = 67109859, st_nlink = 1, st_mode = 33060, st_uid = 0,
st_gid = 0, pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 4096, st_blocks =
0, st_atim = {
    tv_sec = 1185205760, tv_nsec = 847574726}, st_mtim = {tv_sec = 1185205760,
tv_nsec = 847574726}, st_ctim = {tv_sec = 1185205760, tv_nsec = 847574726},
__unused = {0, 0, 0}}
node = (struct discover_class_node *) 0x6108a0
(gdb) up
#1  0x00002aaaafb07ba0 in *selinux_check_passwd_access_internal (requested=8) at
checkAccess.c:20
20                      passwd_class = string_to_security_class("passwd");
(gdb) list
15              if (getprevcon_raw(&user_context) == 0) {
16                      security_class_t passwd_class;
17                      struct av_decision avd;
18                      int retval;
19
20                      passwd_class = string_to_security_class("passwd");
21                      if (passwd_class == 0)
22                              return 0;
23
24                      retval = security_compute_av_raw(user_context,
(gdb) info locals
passwd_class = <value optimized out>
avd = {allowed = 0, decided = 0, auditallow = 0, auditdeny = 0, seqno = 1}
retval = <value optimized out>
status = <value optimized out>
user_context = <value optimized out>
Comment 6 Stephen Smalley 2007-07-23 14:18:13 UTC 
Created attachment 159785 [details]
fix bug in string_to_security_class
Comment 7 Daniel Walsh 2007-07-23 14:23:59 UTC 
Fixed in libselinux-2.0.24-3
Note You need to log in before you can comment on or make changes to this bug.