Description of problem: Patch krb5-1.6.1-selinux-label.patch introduces a bogus malloc() call preventing mget with a wildcard to successfully download and set the SELinux labels. The kerberos ftp client receives a SIGABORT when it tries to free a pointer holding a too big content in some cases, I believe this is due to the size we try to allocate via malloc. In fact, we are currently requesting the length of string A + length of string B + 1 for, I believe, '/', although, we use sprintf() to store them under the format: "%s/%s" forgetting that sprintf will try to add \0 and it will be up to us to have allocated the memory for it; this makes the pointer to contain that string too short? Adding 1 byte in the allocated length solves the problem. -- 150 Opening BINARY mode data connection for texinfo-4.8-14.el5.x86_64.rpm (780928 bytes). *** glibc detected *** ftp: free(): invalid next size (fast): 0x000055556d7b0240 *** ======= Backtrace: ========= /lib64/libc.so.6[0x2aaaac6b2444] /lib64/libc.so.6(cfree 0x8c)[0x2aaaac6b5a6c] /usr/lib64/libkrb5support.so.0[0x2aaaab9d5d37] /usr/lib64/libkrb5support.so.0(krb5int_labeled_fopen 0x34)[0x2aaaab9d6064] ftp[0x555555563a88] ftp[0x55555555ec6a] ftp(main 0x453)[0x555555566ef3] /lib64/libc.so.6(__libc_start_main 0xf4)[0x2aaaac6608a4] ftp[0x55555555a0c9] -- The free that always fail is : --src/util/support/selinux.c static security_context_t push_fscreatecon(const char *pathname, mode_t mode) [...] if (is_selinux_enabled()) { if (getfscreatecon(&previous) == 0) { char *genpath; genpath = NULL; [...] if (pathname[0] != '/') { [...] len = strlen(wd) + strlen(pathname) + 1; genpath = malloc(len); [...] sprintf(genpath, "%s/%s", wd, pathname); [...] if (matchpathcon(fullpath, mode, &next) != 0) { free(genpath); if (previous) { freecon(previous); } return NULL; } >>>>>> free(genpath); --src/util/support/selinux.c The backtrace: -- #0 0x00002aaaac673045 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00002aaaac674ae0 in *__GI_abort () at abort.c:88 #2 0x00002aaaac6ab1bb in __libc_message (do_abort=2, fmt=0x2aaaac75de48 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x00002aaaac6b2444 in _int_free (av=0x2aaaac98e960, mem=<value optimized out>) at malloc.c:5758 #4 0x00002aaaac6b5a6c in *__GI___libc_free (mem=0x6) at malloc.c:3541 #5 0x00002aaaab9d5d37 in push_fscreatecon (pathname=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm", mode=0) at selinux.c:108 #6 0x00002aaaab9d6064 in krb5int_labeled_fopen (path=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm", mode=0x555555568cf3 "w") at selinux.c:164 #7 0x0000555555563a88 in recvrequest (cmd=0x555555568cec "RETR", local=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm", remote=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm", lmode=0x555555568cf3 "w", printnames=<value optimized out>, fnameonly=1) at ftp.c:1248 -- Version-Release number of selected component (if applicable): krb5 1.6.1-17 How reproducible: Often, not always. Steps to Reproduce: (one way to reproduce) 1. loop mount an iso image of RHEL5 in /var/ftp/mnt/ 2. access locally with /usr/kerberos/bin/ftp localhost 2. ftp> cd mnt/Server 3 ftp> bin 4. ftp> prompt 5. ftp> mget tex* Actual results: sigabort received. -- ftp> mget tex* local: texi2html-1.76-4.fc6.noarch.rpm remote: texi2html-1.76-4.fc6.noarch.rpm 227 Entering Passive Mode (,) 150 Opening BINARY mode data connection for texi2html-1.76-4.fc6.noarch.rpm (337923 bytes). 226 File send OK. 337923 bytes received in 0.039 seconds (8.6e 03 Kbytes/s) local: texinfo-4.8-14.el5.x86_64.rpm remote: texinfo-4.8-14.el5.x86_64.rpm 227 Entering Passive Mode (,) 150 Opening BINARY mode data connection for texinfo-4.8-14.el5.x86_64.rpm (780928 bytes). *** glibc detected *** ftp: free(): invalid next size (fast): 0x000055556d7b0240 *** ======= Backtrace: ========= /lib64/libc.so.6[0x2aaaac6b2444] /lib64/libc.so.6(cfree 0x8c)[0x2aaaac6b5a6c] /usr/lib64/libkrb5support.so.0[0x2aaaab9d5d37] /usr/lib64/libkrb5support.so.0(krb5int_labeled_fopen 0x34)[0x2aaaab9d6064] ftp[0x555555563a88] ftp[0x55555555ec6a] ftp(main 0x453)[0x555555566ef3] /lib64/libc.so.6(__libc_start_main 0xf4)[0x2aaaac6608a4] ftp[0x55555555a0c9] ======= Memory map: ======== .... 2aaaAborted (core dumped) Expected results: mget retrieves successfully all files and sets labels. Additional info: Uploading proposed patch. Nalin, let me know if you need more details... (core,logs) Thanks, Jose
Created attachment 289881 [details] Patch fixing the problem.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Patch looks right, and there are a couple of error-case leaks of context names that should be fixed in there, too.
verified krb5-1.6.1-25.el5.src.rpm works as expected now. Thanks for the fix. We will simply wait for the official package release before closing this. This event sent from IssueTracker by pernzer issue 141307
*** Bug 441695 has been marked as a duplicate of this bug. ***
*** Bug 442314 has been marked as a duplicate of this bug. ***
*** Bug 432462 has been marked as a duplicate of this bug. ***
Could you see the patch attached to Bug 432462 ? It fixes the possibility of memory leaking.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0381.html