Bug 426085 - kerberos ftp receives sigabort on mget since krb5-1.6.1-selinux-label.patch
kerberos ftp receives sigabort on mget since krb5-1.6.1-selinux-label.patch
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.2
All Linux
high Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
: 432462 441695 442314 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-18 06:39 EST by Jose Plans
Modified: 2010-10-22 17:14 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0381
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 11:28:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch fixing the problem. (461 bytes, patch)
2007-12-18 06:40 EST, Jose Plans
no flags Details | Diff

  None (edit)
Description Jose Plans 2007-12-18 06:39:22 EST
Description of problem:

Patch krb5-1.6.1-selinux-label.patch introduces a bogus malloc() call preventing
mget with a wildcard to successfully download and set the SELinux labels.
The kerberos ftp client receives a SIGABORT when it tries to free a pointer
holding a too big content in some cases, I believe this is due to the size we
try to allocate via malloc. In fact, we are currently requesting the length of
string A + length of string B + 1 for, I believe, '/', although, we use
sprintf() to store them under the format: "%s/%s" forgetting that sprintf
will try to add \0 and it will be up to us to have allocated the memory for it;
this makes the pointer to contain that string too short?

Adding 1 byte in the allocated length solves the problem.

--
150 Opening BINARY mode data connection for texinfo-4.8-14.el5.x86_64.rpm
(780928 bytes).
*** glibc detected *** ftp: free(): invalid next size (fast): 0x000055556d7b0240 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaac6b2444]
/lib64/libc.so.6(cfree 0x8c)[0x2aaaac6b5a6c]
/usr/lib64/libkrb5support.so.0[0x2aaaab9d5d37]
/usr/lib64/libkrb5support.so.0(krb5int_labeled_fopen 0x34)[0x2aaaab9d6064]
ftp[0x555555563a88]
ftp[0x55555555ec6a]
ftp(main 0x453)[0x555555566ef3]
/lib64/libc.so.6(__libc_start_main 0xf4)[0x2aaaac6608a4]
ftp[0x55555555a0c9]
--

The free that always fail is :

--src/util/support/selinux.c
static security_context_t
push_fscreatecon(const char *pathname, mode_t mode)
[...]
        if (is_selinux_enabled()) {
                if (getfscreatecon(&previous) == 0) {
                        char *genpath;
                        genpath = NULL;
[...]
                        if (pathname[0] != '/') {
[...]
                                len = strlen(wd) + strlen(pathname) + 1;
                                genpath = malloc(len);
[...]
                                sprintf(genpath, "%s/%s", wd, pathname);
[...]
                        if (matchpathcon(fullpath, mode, &next) != 0) {
                                free(genpath);
                                if (previous) {
                                        freecon(previous);
                                }
                                return NULL;
                        }
>>>>>>                  free(genpath);
--src/util/support/selinux.c

The backtrace:
--
#0  0x00002aaaac673045 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00002aaaac674ae0 in *__GI_abort () at abort.c:88
#2  0x00002aaaac6ab1bb in __libc_message (do_abort=2, fmt=0x2aaaac75de48 "***
glibc detected *** %s: %s: 0x%s ***\n")
   at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00002aaaac6b2444 in _int_free (av=0x2aaaac98e960, mem=<value optimized
out>) at malloc.c:5758
#4  0x00002aaaac6b5a6c in *__GI___libc_free (mem=0x6) at malloc.c:3541
#5  0x00002aaaab9d5d37 in push_fscreatecon (pathname=0x5555557713e0
"texinfo-4.8-14.el5.x86_64.rpm", mode=0)
   at selinux.c:108  
#6  0x00002aaaab9d6064 in krb5int_labeled_fopen (path=0x5555557713e0
"texinfo-4.8-14.el5.x86_64.rpm",
   mode=0x555555568cf3 "w") at selinux.c:164
#7  0x0000555555563a88 in recvrequest (cmd=0x555555568cec "RETR",
local=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm",
   remote=0x5555557713e0 "texinfo-4.8-14.el5.x86_64.rpm", lmode=0x555555568cf3
"w", printnames=<value optimized out>,
   fnameonly=1) at ftp.c:1248
--

Version-Release number of selected component (if applicable):
krb5 1.6.1-17

How reproducible:
Often, not always.

Steps to Reproduce: (one way to reproduce)
1. loop mount an iso image of RHEL5 in /var/ftp/mnt/
2. access locally with /usr/kerberos/bin/ftp localhost
2. ftp> cd mnt/Server
3  ftp> bin
4. ftp> prompt
5. ftp> mget tex*
  
Actual results:

sigabort received.
--
ftp> mget tex*
local: texi2html-1.76-4.fc6.noarch.rpm remote: texi2html-1.76-4.fc6.noarch.rpm
227 Entering Passive Mode (,)
150 Opening BINARY mode data connection for texi2html-1.76-4.fc6.noarch.rpm
(337923 bytes).
226 File send OK.
337923 bytes received in 0.039 seconds (8.6e 03 Kbytes/s)
local: texinfo-4.8-14.el5.x86_64.rpm remote: texinfo-4.8-14.el5.x86_64.rpm
227 Entering Passive Mode (,)
150 Opening BINARY mode data connection for texinfo-4.8-14.el5.x86_64.rpm
(780928 bytes).
*** glibc detected *** ftp: free(): invalid next size (fast): 0x000055556d7b0240 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaac6b2444]
/lib64/libc.so.6(cfree 0x8c)[0x2aaaac6b5a6c]
/usr/lib64/libkrb5support.so.0[0x2aaaab9d5d37]
/usr/lib64/libkrb5support.so.0(krb5int_labeled_fopen 0x34)[0x2aaaab9d6064]
ftp[0x555555563a88]
ftp[0x55555555ec6a]
ftp(main 0x453)[0x555555566ef3]
/lib64/libc.so.6(__libc_start_main 0xf4)[0x2aaaac6608a4]
ftp[0x55555555a0c9]
======= Memory map: ========
....
2aaaAborted (core dumped)

Expected results:
mget retrieves successfully all files and sets labels.

Additional info:
Uploading proposed patch.
Nalin, let me know if you need more details... (core,logs)
Thanks,

      Jose
Comment 1 Jose Plans 2007-12-18 06:40:44 EST
Created attachment 289881 [details]
Patch fixing the problem.
Comment 3 RHEL Product and Program Management 2007-12-18 06:44:54 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Nalin Dahyabhai 2007-12-18 13:17:54 EST
Patch looks right, and there are a couple of error-case leaks of context names
that should be fixed in there, too.
Comment 8 Issue Tracker 2008-04-03 16:22:49 EDT
verified krb5-1.6.1-25.el5.src.rpm

works as expected now.

Thanks for the fix. We will simply wait for the official package release
before closing this.


This event sent from IssueTracker by pernzer 
 issue 141307
Comment 9 Nalin Dahyabhai 2008-04-09 15:14:00 EDT
*** Bug 441695 has been marked as a duplicate of this bug. ***
Comment 10 Nalin Dahyabhai 2008-04-15 11:24:42 EDT
*** Bug 442314 has been marked as a duplicate of this bug. ***
Comment 11 Nalin Dahyabhai 2008-04-15 13:23:35 EDT
*** Bug 432462 has been marked as a duplicate of this bug. ***
Comment 12 Masatake YAMATO 2008-04-15 21:57:21 EDT
Could you see the patch attached to Bug 432462 ?
It fixes the possibility of memory leaking.
Comment 14 errata-xmlrpc 2008-05-21 11:28:27 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0381.html

Note You need to log in before you can comment on or make changes to this bug.