969878 – segfault in virSecuritySELinuxMCSGetProcessRange

Bug 969878 - segfault in virSecuritySELinuxMCSGetProcessRange

Summary: segfault in virSecuritySELinuxMCSGetProcessRange

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Ján Tomko
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-02 21:24 UTC by James Gilliland
Modified:	2013-06-11 11:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-06-11 11:31:04 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
simple fix (1010 bytes, patch) 2013-06-02 21:25 UTC, James Gilliland	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gentoo	443630	0	None	None	None	Never

Description James Gilliland 2013-06-02 21:24:56 UTC

Description of problem:
virSecuritySELinuxMCSGetProcessRange is throwing a segfault on the strdup in the following code:

    if (!(*sens = strdup(context_range_get(ourContext)))) {
        virReportOOMError();
        goto cleanup;
    }

The code above it tests to make sure ourContext is valid but it seems its still possible that context_range_get can still return null.

Version-Release number of selected component (if applicable):
1.0.5.1

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:
segfault

Expected results:
graceful failure or start up of vm.

Additional info:
I'm a bit of a selinux newb so I'm not sure how to setup things to fail but this seems like it might be related to a lack of configuration in Gentoo's build. Related bug attached

Naive patch based on IRC discussion attached.

Comment 1 James Gilliland 2013-06-02 21:25:39 UTC

Created attachment 756100 [details]
simple fix

Comment 2 Daniel Berrangé 2013-06-03 15:27:02 UTC

Can you tell us what SELinux context libvirtd is running as when this occurrs. eg 

   ps -axuZ | grep libvirtd

Then we can add a test cases to validate correct handling of your scenario.

Comment 3 James Gilliland 2013-06-03 15:48:46 UTC

So I changed a lot on the system since yesterday including my context type which seems to have been the problem. Currently the context is staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023

My guess is previously it was staff_u:sysadm_r:sysadm_t because the context type was set to strict.

Comment 4 Daniel Berrangé 2013-06-03 15:52:47 UTC

Ok, having a context of 'staff_u:sysadm_r:sysadm_t' could certainly explain why we'd see a NULL range & hence the crash.

Comment 5 Ján Tomko 2013-06-10 15:04:20 UTC

The fix from comment 1 has been rejected upstream:
https://www.redhat.com/archives/libvir-list/2013-June/msg00082.html
I've sent another patch adding 's0' if the range is empty:
https://www.redhat.com/archives/libvir-list/2013-June/msg00438.html

Comment 6 Ján Tomko 2013-06-11 11:31:04 UTC

This is now fixed upstream and will be a part of 1.0.7 release:

commit 0b466db29bea7555f91eaed5e5df2751980e2194
Author:     Ján Tomko <jtomko>
AuthorDate: 2013-06-10 14:37:40 +0200
Commit:     Ján Tomko <jtomko>
CommitDate: 2013-06-11 13:13:43 +0200

    selinux: assume 's0' if the range is empty
    
    This fixes a crash:
    https://bugzilla.redhat.com/show_bug.cgi?id=969878

git describe: v1.0.6-59-g0b466db

Note You need to log in before you can comment on or make changes to this bug.