1787686 – [abrt] rng-tools: g_get_user_database_entry(): rngd killed by SIGSEGV

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1787686 - [abrt] rng-tools: g_get_user_database_entry(): rngd killed by SIGSEGV

Summary: [abrt] rng-tools: g_get_user_database_entry(): rngd killed by SIGSEGV

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glib2
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthias Clasen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:f7134c6feee83b01ff40423ff45...
Duplicates (2):	1788229 1789157 (view as bug list)
Depends On:
Blocks:	F32FinalBlocker
TreeView+	depends on / blocked

Reported:	2020-01-04 06:03 UTC by Matt Fagnani
Modified:	2020-02-03 14:38 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-03 14:38:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (44.90 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: core_backtrace (16.16 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: cpuinfo (2.26 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: dso_list (4.51 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: environ (142 bytes, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: exploitable (82 bytes, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: limits (1.29 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: maps (29.99 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: mountinfo (2.42 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: open_fds (383 bytes, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: proc_pid_status (1.28 KB, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
File: var_log_messages (505 bytes, text/plain) 2020-01-04 06:03 UTC, Matt Fagnani	no flags	Details
rngd segmentation fault core dump file lz4 compressed (739.95 KB, application/x-lz4) 2020-01-05 00:14 UTC, Matt Fagnani	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1789902	0	unspecified	CLOSED	rngd denials: 'search' for sss, 'read' for passwd (caused by opensc changing to use glib)	2022-05-16 11:32:56 UTC

Description Matt Fagnani 2020-01-04 06:03:13 UTC

Description of problem:
I ran sudo dnf upgrade --refresh in the rawhide KDE Plasma spin on 2020-1-3. The update included kernel-5.5.0-0.rc4.git1.1.fc32.x86_64, glibc-2.30.9000-28.fc32.x86_64, opensc-0.20.0-1.fc32.x86_64, and other rpms. Three denials of rngd searching /var/lib/sss happened on the next boot https://bugzilla.redhat.com/show_bug.cgi?id=1787661  followed by a denial of rngd reading /etc/passwd https://bugzilla.redhat.com/show_bug.cgi?id=1787663 rngd segmentation faulted right after that. I attached the journal showing the rngd denials and segmentation fault to #1787661. The trace of the rngd segmentation fault indicated errors in frames #17-25 while loading /usr/lib64/opensc-pkcs11.so which is provided by opensc-0.20.0-1.fc32.x86_64. 

(gdb) bt
#0  0x00007f1c44a46d23 in g_get_user_database_entry () at ../glib/gutils.c:692
#1  0x00007f1c44a46e97 in g_build_home_dir () at ../glib/gutils.c:828
#2  0x00007f1c44a47242 in g_build_user_cache_dir () at ../glib/gutils.c:1827
#3  0x00007f1c44a4844b in g_build_user_runtime_dir () at ../glib/gutils.c:1882
#4  g_get_user_runtime_dir () at ../glib/gutils.c:1927
#5  0x00007f1c44c4f13d in get_session_address_xdg () at ../gio/gdbusaddress.c:1334
#6  get_session_address_platform_specific (error=0x7ffeeec43048) at ../gio/gdbusaddress.c:1240
#7  g_dbus_address_get_for_bus_sync
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusaddress.c:1334
#8  0x00007f1c44c5b506 in get_uninitialized_connection
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7225
#9  0x00007f1c44c610ae in g_bus_get_sync
    (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7320
#10 0x00007f1c44c3365e in g_application_impl_register
    (application=application@entry=0x559e3055c090 [GApplication], appid=0x559e3055ce10 "org.opensc.notify", flags=G_APPLICATION_NON_UNIQUE, exported_actions=0x559e305568d0, remote_actions=remote_actions@entry=0x559e3055c038, cancellable=cancellable@entry=0x0, error=0x0) at ../gio/gapplicationimpl-dbus.c:601
#11 0x00007f1c44c3054c in g_application_register
    (error=0x0, cancellable=0x0, application=0x559e3055c090 [GApplication])
    at ../gio/gapplication.c:2187
#12 g_application_register (application=0x559e3055c090 [GApplication], cancellable=0x0, error=0x0)
    at ../gio/gapplication.c:2176
--Type <RET> for more, q to quit, c to continue without paging--c
#13 0x00007f1c44f5a6fd in module_init () at /usr/lib64/opensc-pkcs11.so
#14 0x00007f1c4805826a in call_init (l=<optimized out>, argc=argc@entry=2, argv=argv@entry=0x7ffeeec43ac8, env=env@entry=0x7ffeeec43ae0) at dl-init.c:72
#15 0x00007f1c48058371 in call_init (env=0x7ffeeec43ae0, argv=0x7ffeeec43ac8, argc=2, l=<optimized out>) at dl-init.c:30
#16 _dl_init (main_map=0x559e30544360, argc=2, argv=0x7ffeeec43ac8, env=0x7ffeeec43ae0) at dl-init.c:119
#17 0x00007f1c479233e5 in __GI__dl_catch_exception (exception=exception@entry=0x0, operate=operate@entry=0x7f1c4805b930 <call_dl_init>, args=args@entry=0x7ffeeec43470) at dl-error-skeleton.c:182
#18 0x00007f1c4805c440 in dl_open_worker (a=a@entry=0x7ffeeec43610) at dl-open.c:758
#19 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec435f0, operate=operate@entry=0x7f1c4805c010 <dl_open_worker>, args=args@entry=0x7ffeeec43610) at dl-error-skeleton.c:208
#20 0x00007f1c4805bc5e in _dl_open (file=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=-2147483647, caller_dlopen=0x7f1c47ed42c0 <C_LoadModule+80>, nsid=-2, argc=2, argv=<optimized out>, env=0x7ffeeec43ae0) at dl-open.c:837
#21 0x00007f1c477b939c in dlopen_doit (a=a@entry=0x7ffeeec43830) at dlopen.c:66
#22 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec437d0, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:208
#23 0x00007f1c47923453 in __GI__dl_catch_error (objname=objname@entry=0x559e30544340, errstring=errstring@entry=0x559e30544348, mallocedp=mallocedp@entry=0x559e30544338, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:227
#24 0x00007f1c477b9b09 in _dlerror_run (operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dlerror.c:170
#25 0x00007f1c477b942a in __dlopen (file=file@entry=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=mode@entry=1) at dlopen.c:87
#26 0x00007f1c47ed42c0 in C_LoadModule (mspec=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", funcs=funcs@entry=0x559e3052b0d0) at libpkcs11.c:67
#27 0x00007f1c47ed6f16 in pkcs11_CTX_load (ctx=0x559e305442b0, name=<optimized out>) at p11_load.c:77
#28 0x00007f1c47eda63c in PKCS11_CTX_load (ctx=<optimized out>, ident=<optimized out>) at p11_front.c:46
#29 0x0000559e2f336c38 in init_pkcs11_entropy_source (ent_src=0x559e2f33d860 <entropy_sources+576>) at rngd_pkcs11.c:106
#30 0x0000559e2f32e99c in main (argc=<optimized out>, argv=<optimized out>) at rngd.c:794

I downgraded to opensc-0.19.0-8.fc32.x86_64  from koji. No rngs denials or segmentation fault happened on the next boot with opensc-0.19.0-8.fc32.x86_64. A change in opensc-0.20.0-1.fc32.x86_64 might be related to the rngd denials and segmentation fault.
The rngd denials and segmentation faults happened on 7/7 boots with opensc-0.20.0-1.fc32.x86_64.

Version-Release number of selected component:
rng-tools-6.9-1.fc32

Additional info:
reporter:       libreport-2.11.3
backtrace_rating: 4
cgroup:         0::/system.slice/rngd.service
cmdline:        /sbin/rngd -f
crash_function: g_get_user_database_entry
executable:     /usr/sbin/rngd
journald_cursor: s=29bfca92eb7642a18f0e109100134cc2;i=21b157;b=7b6c863a18104dc58b4867fd37d813a0;m=6c7eaa1c;t=59b43a1c7c24d;x=8091bc20104e86f7
kernel:         5.5.0-0.rc4.git1.1.fc32.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 g_get_user_database_entry at ../glib/gutils.c:692
 #1 g_build_home_dir at ../glib/gutils.c:828
 #2 g_build_user_cache_dir at ../glib/gutils.c:1827
 #3 g_build_user_runtime_dir at ../glib/gutils.c:1882
 #4 g_get_user_runtime_dir at ../glib/gutils.c:1927
 #5 get_session_address_xdg at ../gio/gdbusaddress.c:1334
 #6 get_session_address_platform_specific at ../gio/gdbusaddress.c:1240
 #7 g_dbus_address_get_for_bus_sync at ../gio/gdbusaddress.c:1334
 #8 get_uninitialized_connection at ../gio/gdbusconnection.c:7225
 #9 g_bus_get_sync at ../gio/gdbusconnection.c:7320

Comment 1 Matt Fagnani 2020-01-04 06:03:15 UTC

Created attachment 1649571 [details]
File: backtrace

Comment 2 Matt Fagnani 2020-01-04 06:03:17 UTC

Created attachment 1649572 [details]
File: core_backtrace

Comment 3 Matt Fagnani 2020-01-04 06:03:17 UTC

Created attachment 1649573 [details]
File: cpuinfo

Comment 4 Matt Fagnani 2020-01-04 06:03:18 UTC

Created attachment 1649574 [details]
File: dso_list

Comment 5 Matt Fagnani 2020-01-04 06:03:19 UTC

Created attachment 1649575 [details]
File: environ

Comment 6 Matt Fagnani 2020-01-04 06:03:20 UTC

Created attachment 1649576 [details]
File: exploitable

Comment 7 Matt Fagnani 2020-01-04 06:03:21 UTC

Created attachment 1649577 [details]
File: limits

Comment 8 Matt Fagnani 2020-01-04 06:03:22 UTC

Created attachment 1649578 [details]
File: maps

Comment 9 Matt Fagnani 2020-01-04 06:03:23 UTC

Created attachment 1649579 [details]
File: mountinfo

Comment 10 Matt Fagnani 2020-01-04 06:03:24 UTC

Created attachment 1649580 [details]
File: open_fds

Comment 11 Matt Fagnani 2020-01-04 06:03:25 UTC

Created attachment 1649581 [details]
File: proc_pid_status

Comment 12 Matt Fagnani 2020-01-04 06:03:26 UTC

Created attachment 1649582 [details]
File: var_log_messages

Comment 13 Neil Horman 2020-01-04 14:56:49 UTC

I think this is something of a duplicate error to the other two bugs you've filed regarding the selinux deinals.

To address the dlopen issue, that appears to be something of a red herring.  Starting at Frame 27, the rngd pcks11 entropy source attempts to init the pkcs11 library, which in frame 26 and 25 calls dlopen on /usr/lib64/opensc-pkcs11.so.  frames 24 and 23 encounter an error in that operation, which we can dig into if you like, but I think thats moot, because it appears to be non-fatal, noting that in frames 22-17 the operation is retried, ending at frame 15, in which the constructor for the opensc library is called (module_init), meaning that the dlopen operation succeded, found the library and initialized it (or started trying to).

The discrepancy appears to be that, opensc has had a major overhaul between version 19.06 and version 20 in rawhide.  Whereas previously opensc only use internal infrastructure to initalize, in version 20 it appears to have adopted use of the glib library to alot of its work, which does alot of extra things under the cover, including opening /var/lib/sss and /etc/passwd.  It would appear that those operations are denied by the rawhide selinux policy for the rngd application tag.  That shouldn't cause an crash in g_get_user_database_entry, but I'm guessing that glib has a bug in which g_get_user_database_entry's call to get_pwnamr (or one of its cousins), doesn't expect a certain return from the call, and attempts to deference memory that isn't there.

I think that the solution here is twofold:
1) The selinux policy should probably be updated to allow context system_u:system_r:rngd_t:s0 to access files of type sss_var_t and system_u:object_r:passwd_file_t so that the avc deinals are not produced (which will avoid the crash)

2) glib needs to be updated to be able to handle those AVC deinals, and whatever information they return from get_pwnam and friends

If you can upload the core file from rngd here, I can take a closer look and pass this over to the glib maintainer for further correction.

In the interim, I think you probably have three workarounds at your disposal:
a) you can downgrade the opensc library as you've done, to avoid the implicit use of glibc in that library, avoiding the issue.  Irritating, but possible

b) you can disable selinux, which will avoid the AVC denial, and prevent whatever error glib is encountering.  Less secure, but also possible

c) you can copy /usr/lib/systemd/system/rngd.service to /etc/systemd/system/rngd.service and edit the file in etc such that the ExecStart line to include this option:
-x pkcs11
doing so will disable the pkcs11 entropy source, and prevent the opensc module from getting loaded, in turn preventing the crash above.  This is likely your best interim solution, as it allows you to keep selinux active and your system more secure.  This also however, assumes that you don't have a pcks11 entropy source available, but most people dont (they're smart card readers that produce a small amount of entropy that can be collected).

Please upload the core file, and I can route this to the appropriate maintainer for rectification.

Comment 14 Matt Fagnani 2020-01-05 00:14:01 UTC

Created attachment 1649821 [details]
rngd segmentation fault core dump file lz4 compressed

Neil, I'm attaching the rngd core dump file lz4 compressed from the segmentation fault I reported. I found the core dump file using coredumpctl info. I agree that the rngd denials are the reason for the segmentation faults. I have seen and reported about 12 additional rngd denials at https://bugzilla.redhat.com/show_bug.cgi?id=1787661#c3  rngd hasn't crashed since the first 5 of the 14 unique denials were allowed using a local policy module I described there. The rngd segmentation fault trace frames involving /usr/lib64/opensc-pkcs11.so allowed me to identify opensc-0.20.0-1.fc32.x86_64 as being involved in the denials and crashes at least. I can provide more information as needed. Thanks.

Comment 15 Neil Horman 2020-01-05 15:10:28 UTC

*** Bug 1787766 has been marked as a duplicate of this bug. ***

Comment 16 Ryan 2020-01-05 22:31:55 UTC

option c worked for me (disable pkcs11) as per #c13

Comment 17 ozeszty 2020-01-05 22:43:42 UTC

Same issue on F31 with opensc-0.20.0-1.1.fc31, reverting the update helped with rngd's AVC denials and this segmentation fault.

Comment 18 Jakub Jelen 2020-01-06 08:10:02 UTC

In the new update of OpenSC with rebase, I re-enabled the desktop notification support. It seems that either OpenSC or glib does not handle the restricted environments very well. I will try to investigate what is going on there and disable the notification support (at least in Fedora 31 for now).

Comment 19 Jakub Jelen 2020-01-06 09:50:29 UTC

Checking the trace and the source code, this is really an issue of glib2 package in Fedora. The frame 2 points here in the source code:

https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gutils.c#L692

And this expression miss any null check when trying to access first element in the pw_name of the pw structure in the expression 

    pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]);

I will change this bug to glib2 and try to write some patch or at least issue there.

Comment 20 Jakub Jelen 2020-01-06 12:52:19 UTC

Here is a fix for glib including reproducer for those interested in learning more:

https://gitlab.gnome.org/GNOME/glib/merge_requests/1309

Comment 21 Neil Horman 2020-01-07 11:36:51 UTC

*** Bug 1788229 has been marked as a duplicate of this bug. ***

Comment 22 Adam Williamson 2020-01-07 15:51:59 UTC

See https://bugzilla.redhat.com/show_bug.cgi?id=1788229 for blocker rationale - essentially, this prevents rngd starting up on boot, and we require default services to start successfully.

Comment 23 Adam Williamson 2020-01-10 16:50:03 UTC

Filed https://bugzilla.redhat.com/show_bug.cgi?id=1789902 for the selinux-policy part of this.

Comment 24 Neil Horman 2020-01-10 17:55:21 UTC

*** Bug 1789157 has been marked as a duplicate of this bug. ***

Comment 25 Jakub Jelen 2020-01-13 08:07:32 UTC

for the record, I reverted the OpenSC change and dependency on gio (as the notification support is still quite premature) so this should not happen anymore with rawhide. But it does not change that this bug in gio2 should be fixed. Not sure about the selinux ones though.

Comment 26 Michael Catanzaro 2020-02-03 14:38:57 UTC

This fix should have reached rawhide already (GLib 2.63.4). Thanks Jakub!

Note You need to log in before you can comment on or make changes to this bug.