632914 – ssh(1) dies on SIGSEGV when SELinux policy is not installed

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 632914 - ssh(1) dies on SIGSEGV when SELinux policy is not installed

Summary: ssh(1) dies on SIGSEGV when SELinux policy is not installed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan F. Chadima
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-11 21:21 UTC by Kamil Dudka
Modified:	2010-09-14 07:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	openssh-5.5p1-20.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-09-14 05:07:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kamil Dudka 2010-09-11 21:21:43 UTC

Version-Release number of selected component (if applicable):
openssh-clients-5.5p1-18.fc14.x86_64


How reproducible:
100%


Steps to Reproduce:
$ mock -v -r fedora-14-x86_64 --init
$ mock -v -r fedora-14-x86_64 --install openssh-clients
# chroot /var/lib/mock/fedora-14-x86_64/root
# ssh localhost

  
Actual results:
Segmentation fault (core dumped)


Additional info:
# gdb -q --args ssh localhost

(gdb) break matchpathcon
Breakpoint 1 at 0x90a0

(gdb) run
Breakpoint 1, matchpathcon (name=0x7fffffffcea0 "/root/.ssh", mode=448, con=0x7fffffffc7b8) at matchpathcon.c:316
316     {

(gdb) finish
Run till exit from #0  matchpathcon (name=0x7fffffffcea0 "/root/.ssh", mode=448, con=0x7fffffffc7b8) at matchpathcon.c:316
main (ac=<value optimized out>, av=<value optimized out>) at ssh.c:829
829                     setfscreatecon(scon);
Value returned is $1 = -1

(gdb) list
824                 strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
825             if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
826                     char *scon;
827
828                     matchpathcon(buf, 0700, &scon);
829                     setfscreatecon(scon);
830                     if (mkdir(buf, 0700) < 0)
831                             error("Could not create directory '%.200s'.", buf);
832                     setfscreatecon(NULL);
833             }

(gdb) print scon
$2 = 0x500000001 <Address 0x500000001 out of bounds>

(gdb) next
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5896982 in __strlen_sse2 () from /lib64/libc.so.6

(gdb) bt
#0  0x00007ffff5896982 in __strlen_sse2 () from /lib64/libc.so.6
#1  0x00007ffff5896696 in strdup () from /lib64/libc.so.6
#2  0x00007ffff796dd28 in selinux_trans_to_raw_context (trans=0x500000001 <Address 0x500000001 out of bounds>, rawp=0x7fffffffc6a8) at setrans_client.c:259
#3  0x00007ffff796c4a0 in setprocattrcon (context=<value optimized out>, attr=0x7ffff7970996 "fscreate", pid=0) at procattr.c:135
#4  0x00007ffff7fa8731 in main (ac=<value optimized out>, av=<value optimized out>) at ssh.c:829

Comment 1 Jan F. Chadima 2010-09-13 08:41:47 UTC

temporarily repaired in Rawhide's openssh-5.6p1-4  can you test it please?

Comment 2 Kamil Dudka 2010-09-13 09:03:56 UTC

Works for me.  Thanks!

Comment 3 Jan F. Chadima 2010-09-13 10:05:00 UTC

can you test openssh-5.6p1-5 also?

Comment 4 Kamil Dudka 2010-09-13 10:15:39 UTC

still working...

Comment 5 Jan F. Chadima 2010-09-13 10:23:51 UTC

thx, do you want it as update of f14?

Comment 6 Kamil Dudka 2010-09-13 10:39:10 UTC

It'd be certainly appreciated as the bug weakens curl's test-suite:

http://kojipkgs.fedoraproject.org/packages/curl/7.21.0/5.fc14/data/logs/x86_64/build.log

... but if the update was a problem, we could add BuildRequire for selinux-policy-targeted as a workaround, as we already did in rawhide curl.

Comment 7 Jan F. Chadima 2010-09-13 11:55:22 UTC

be my guest,
and test!

Comment 8 Kamil Dudka 2010-09-13 12:23:39 UTC

There seems to be a typo in openssh.spec:

diff --git a/openssh.spec b/openssh.spec
index 8eca6ab..dcd4280 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -326,7 +326,7 @@ CFLAGS="$CFLAGS -fpic"
 %endif
 export CFLAGS
 SAVE_LDFLAGS="$LDFLAGS"
-LDFLAGS="$LDFLAGS -pie z relro -z now"; export LDFLAGS
+LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS
 %endif
 %if %{kerberos5}
 if test -r /etc/profile.d/krb5-devel.sh ; then

Comment 9 Fedora Update System 2010-09-13 13:10:50 UTC

openssh-5.5p1-20.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/openssh-5.5p1-20.fc14

Comment 10 Fedora Update System 2010-09-14 05:07:50 UTC

openssh-5.5p1-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Jan F. Chadima 2010-09-14 07:02:11 UTC

(In reply to comment #8)
> There seems to be a typo in openssh.spec:
> 
> diff --git a/openssh.spec b/openssh.spec
> index 8eca6ab..dcd4280 100644
> --- a/openssh.spec
> +++ b/openssh.spec
> @@ -326,7 +326,7 @@ CFLAGS="$CFLAGS -fpic"
>  %endif
>  export CFLAGS
>  SAVE_LDFLAGS="$LDFLAGS"
> -LDFLAGS="$LDFLAGS -pie z relro -z now"; export LDFLAGS
> +LDFLAGS="$LDFLAGS -pie -z relro -z now"; export LDFLAGS
>  %endif
>  %if %{kerberos5}
>  if test -r /etc/profile.d/krb5-devel.sh ; then

this is reparation of the typo

Comment 12 Kamil Dudka 2010-09-14 07:32:45 UTC

I did a scratch build of curl-7.21.0-5.fc14 against openssh-5.5p1-20.fc14 from stable and SCP/SFTP tests ran successfully on both i686 and x86_64:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2466279

Note You need to log in before you can comment on or make changes to this bug.