This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 736259 - matchpathcon makes install segfault
matchpathcon makes install segfault
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
rawhide
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-07 03:59 EDT by Jim Meyering
Modified: 2013-03-13 16:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-07 12:35:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jim Meyering 2011-09-07 03:59:05 EDT
Description of problem: trivial use of "install" causes segfault

Version-Release number of selected component (if applicable):

  libselinux-2.1.5-2.fc17.x86_64
  coreutils-8.12-7.fc17.x86_64
  kernel-3.1.0-0.rc4.git0.0.fc17.x86_64

How reproducible: every time

Steps to Reproduce:

  1. touch a; env -i /usr/bin/install a b

Actual results:

  zsh: segmentation fault  env -i /usr/bin/install a b

Expected results:

  success (no segfault)

Additional info:

[the "env -i " prefix is just to ensure that none of my MALLOC_DEBUG_
 or MALLOC_PERTURB_ settings (or any other envvar) is causing trouble. ]

gdb shows that it's officially a NULL-deref, but says there's a
"Corrupted DWARF expression", probably discovered in read_sleb128:

    $ env -i gdb -q --args /usr/bin/install a b
    Reading symbols from /usr/bin/install...Reading symbols from /usr/lib/debug/usr/bin/install.debug...done.
    done.
    (gdb) r
    Starting program: /usr/bin/install a b
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    1179      while (*__s == __sep)
    (gdb) p __s
    $1 = 0x0
    (gdb) bt
    #0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    #1  init (rec=0x626930, opts=0x7ffff7fe2718, n=<optimized out>)
        at label_file.c:440
    #2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe2718,
        nopts=5) at label.c:165
    #3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0,
        subset=0x0) at matchpathcon.c:321
    #4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffefbf "b", mode=33261,
        con=0x7fffffffeb98) at matchpathcon.c:406
    #5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffefbf "b")
        at install.c:345
    #6  change_attributes (name=0x7fffffffefbf "b") at install.c:471
    #7  install_file_in_file (from=<optimized out>, to=0x7fffffffefbf "b",
        x=<optimized out>) at install.c:672
    #8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
        at install.c:978
    (gdb)

So install is just the messenger, since it's calling libselinux's
matchpathcon function, in which all of this is happening.
Given the dwarf corruption, libselinux may be a messenger, too.
Comment 1 Richard W.M. Jones 2011-09-07 04:52:22 EDT
I reproduced this as well on a Fedora Rawhide x86-64
virtual machine.

It did not happen with just glibc and coreutils* updated.

It started to happen once I also updated selinux packages.

$ rpm -qa | grep selinux
libselinux-devel-2.1.5-2.fc17.x86_64
libselinux-2.1.5-2.fc17.x86_64
selinux-policy-3.10.0-24.fc17.noarch
selinux-policy-targeted-3.10.0-24.fc17.noarch
libselinux-utils-2.1.5-2.fc17.x86_64
libselinux-python-2.1.5-2.fc17.x86_64

$ touch a; install a b
Segmentation fault
Comment 2 Richard W.M. Jones 2011-09-07 04:55:05 EDT
Program received signal SIGSEGV, Segmentation fault.
__strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
1179	  while (*__s == __sep)
(gdb) bt
#0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
) at /usr/include/bits/string2.h:1179
#1  init (rec=0x61e040, opts=0x7ffff7fe3718, n=<optimized out>)
    at label_file.c:440
#2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe3718, 
    nopts=5) at label.c:165
#3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0, 
    subset=0x0) at matchpathcon.c:321
#4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffe699 "b", mode=33261, 
    con=0x7fffffffe198) at matchpathcon.c:406
#5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffe699 "b")
    at install.c:345
#6  change_attributes (name=0x7fffffffe699 "b") at install.c:471
#7  install_file_in_file (from=<optimized out>, to=0x7fffffffe699 "b", 
    x=<optimized out>) at install.c:672
#8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
    at install.c:978
(gdb) print *__s
Cannot access memory at address 0x0
(gdb) print __sep
$1 = 59 ';'
Comment 3 Jan Kratochvil 2011-09-07 05:00:55 EDT
(In reply to comment #0)
> read_sleb128: Corrupted DWARF expression.

This part is a GDB upstream bug in DW_OP_GNU_implicit_pointer implementation,
going to fix it (address size vs. DWARF offset size discrepancy).
Comment 4 Daniel Walsh 2011-09-07 12:35:34 EDT
Fixed in libselinux-2.1.5-3.fc17

Note You need to log in before you can comment on or make changes to this bug.