736259 – matchpathcon makes install segfault

Bug 736259 - matchpathcon makes install segfault

Summary: matchpathcon makes install segfault

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libselinux
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-07 07:59 UTC by Jim Meyering
Modified:	2013-03-13 20:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-09-07 16:35:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jim Meyering 2011-09-07 07:59:05 UTC

Description of problem: trivial use of "install" causes segfault

Version-Release number of selected component (if applicable):

  libselinux-2.1.5-2.fc17.x86_64
  coreutils-8.12-7.fc17.x86_64
  kernel-3.1.0-0.rc4.git0.0.fc17.x86_64

How reproducible: every time

Steps to Reproduce:

  1. touch a; env -i /usr/bin/install a b

Actual results:

  zsh: segmentation fault  env -i /usr/bin/install a b

Expected results:

  success (no segfault)

Additional info:

[the "env -i " prefix is just to ensure that none of my MALLOC_DEBUG_
 or MALLOC_PERTURB_ settings (or any other envvar) is causing trouble. ]

gdb shows that it's officially a NULL-deref, but says there's a
"Corrupted DWARF expression", probably discovered in read_sleb128:

    $ env -i gdb -q --args /usr/bin/install a b
    Reading symbols from /usr/bin/install...Reading symbols from /usr/lib/debug/usr/bin/install.debug...done.
    done.
    (gdb) r
    Starting program: /usr/bin/install a b
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    1179      while (*__s == __sep)
    (gdb) p __s
    $1 = 0x0
    (gdb) bt
    #0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    #1  init (rec=0x626930, opts=0x7ffff7fe2718, n=<optimized out>)
        at label_file.c:440
    #2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe2718,
        nopts=5) at label.c:165
    #3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0,
        subset=0x0) at matchpathcon.c:321
    #4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffefbf "b", mode=33261,
        con=0x7fffffffeb98) at matchpathcon.c:406
    #5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffefbf "b")
        at install.c:345
    #6  change_attributes (name=0x7fffffffefbf "b") at install.c:471
    #7  install_file_in_file (from=<optimized out>, to=0x7fffffffefbf "b",
        x=<optimized out>) at install.c:672
    #8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
        at install.c:978
    (gdb)

So install is just the messenger, since it's calling libselinux's
matchpathcon function, in which all of this is happening.
Given the dwarf corruption, libselinux may be a messenger, too.

Comment 1 Richard W.M. Jones 2011-09-07 08:52:22 UTC

I reproduced this as well on a Fedora Rawhide x86-64
virtual machine.

It did not happen with just glibc and coreutils* updated.

It started to happen once I also updated selinux packages.

$ rpm -qa | grep selinux
libselinux-devel-2.1.5-2.fc17.x86_64
libselinux-2.1.5-2.fc17.x86_64
selinux-policy-3.10.0-24.fc17.noarch
selinux-policy-targeted-3.10.0-24.fc17.noarch
libselinux-utils-2.1.5-2.fc17.x86_64
libselinux-python-2.1.5-2.fc17.x86_64

$ touch a; install a b
Segmentation fault

Comment 2 Richard W.M. Jones 2011-09-07 08:55:05 UTC

Program received signal SIGSEGV, Segmentation fault.
__strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
1179	  while (*__s == __sep)
(gdb) bt
#0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
#1  init (rec=0x61e040, opts=0x7ffff7fe3718, n=<optimized out>)
    at label_file.c:440
#2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe3718, 
    nopts=5) at label.c:165
#3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0, 
    subset=0x0) at matchpathcon.c:321
#4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffe699 "b", mode=33261, 
    con=0x7fffffffe198) at matchpathcon.c:406
#5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffe699 "b")
    at install.c:345
#6  change_attributes (name=0x7fffffffe699 "b") at install.c:471
#7  install_file_in_file (from=<optimized out>, to=0x7fffffffe699 "b", 
    x=<optimized out>) at install.c:672
#8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
    at install.c:978
(gdb) print *__s
Cannot access memory at address 0x0
(gdb) print __sep
$1 = 59 ';'

Comment 3 Jan Kratochvil 2011-09-07 09:00:55 UTC

(In reply to comment #0)
> read_sleb128: Corrupted DWARF expression.

This part is a GDB upstream bug in DW_OP_GNU_implicit_pointer implementation,
going to fix it (address size vs. DWARF offset size discrepancy).

Comment 4 Daniel Walsh 2011-09-07 16:35:34 UTC

Fixed in libselinux-2.1.5-3.fc17

Note You need to log in before you can comment on or make changes to this bug.