Regression in 5876aca0484f ("libselinux: free data on selabel open failure")

All of lore.kernel.org
 help / color / mirror / Atom feed

* Regression in 5876aca0484f ("libselinux: free data on selabel open failure")
@ 2024-07-09 10:15 Petr Lautrbach
  2024-07-09 14:37 ` Petr Lautrbach
  0 siblings, 1 reply; 2+ messages in thread
From: Petr Lautrbach @ 2024-07-09 10:15 UTC (permalink / raw)
  To: selinux

Hello,

Katerina Koukiou https://bugzilla.redhat.com/show_bug.cgi?id=2295428
discovered a regression in libselinux [1] which can be demonstrated by
running `matchpathcon` on a system with SELinux disabled and without any
SELinux policy installed.

Fedora reproducer:

$ toolbox create
$ toolbox enter
toolbox$ matchpatchcon /abc

Before 5876aca0484f:

$ matchpathcon /abc
  Error while opening file contexts database: No such file or directory

After 5876aca0484f:

$ matchpathcon /abc
[1]    761709 segmentation fault (core dumped)  matchpathcon /abc

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
warning: Source file is more recent than executable.
915                     free(spec->lr.ctx_trans);
(gdb) bt full
#0  0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
        data = 0x405a80
        area = 0x6ffffdf48
        last_area = 0x7fffffffdc90
        spec = 0x405
        stem = 0x2
        i = 0
#1  0x00007ffff7f968b7 in selabel_close (rec=0x405a10) at label.c:364
No locals.
#2  0x00007ffff7f9648d in selabel_open (backend=0, opts=0x7fffffffdd80, nopts=6) at label.c:228
        rec = 0x405a10
#3  0x00000000004015e7 in main (argc=2, argv=0x7fffffffdf48) at matchpathcon.c:131
        i = 32767
        force_mode = 0
        header = 1
        opt = -1
        verify = 0
        notrans = 0
        error = 0
        quiet = 0
        hnd = 0x7fffffffde20
        options = {{type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, 
            value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}}


As a workaround, it's necessary to install SElinux policy

toolbox$ sudo dnf install selinux-policy-targeted
toolbox$ $ matchpathcon /abc                       
/abc    system_u:object_r:etc_runtime_t:s0


[1] https://bugzilla.redhat.com/show_bug.cgi?id=2295428


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Regression in 5876aca0484f ("libselinux: free data on selabel open failure")
  2024-07-09 10:15 Regression in 5876aca0484f ("libselinux: free data on selabel open failure") Petr Lautrbach
@ 2024-07-09 14:37 ` Petr Lautrbach
  0 siblings, 0 replies; 2+ messages in thread
From: Petr Lautrbach @ 2024-07-09 14:37 UTC (permalink / raw)
  To: selinux

Petr Lautrbach <lautrbach@redhat.com> writes:

> Hello,
>
> Katerina Koukiou https://bugzilla.redhat.com/show_bug.cgi?id=2295428
> discovered a regression in libselinux [1] which can be demonstrated by
> running `matchpathcon` on a system with SELinux disabled and without any
> SELinux policy installed.
>
> Fedora reproducer:
>
> $ toolbox create
> $ toolbox enter
> toolbox$ matchpatchcon /abc
>
> Before 5876aca0484f:
>
> $ matchpathcon /abc
>   Error while opening file contexts database: No such file or directory
>
> After 5876aca0484f:
>
> $ matchpathcon /abc
> [1]    761709 segmentation fault (core dumped)  matchpathcon /abc
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
> warning: Source file is more recent than executable.
> 915                     free(spec->lr.ctx_trans);

The following patch fixes this particular problem:

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2732972e61cf..59c9f2ef3442 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -942,6 +942,7 @@ static void closef(struct selabel_handle *rec)
                free(last_area);
        }
        free(data);
+       rec->data = NULL;
 }
 
 // Finds all the matches of |key| in the given context. Returns the result in




> (gdb) bt full
> #0  0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
>         data = 0x405a80
>         area = 0x6ffffdf48
>         last_area = 0x7fffffffdc90
>         spec = 0x405
>         stem = 0x2
>         i = 0
> #1  0x00007ffff7f968b7 in selabel_close (rec=0x405a10) at label.c:364
> No locals.
> #2  0x00007ffff7f9648d in selabel_open (backend=0, opts=0x7fffffffdd80, nopts=6) at label.c:228
>         rec = 0x405a10
> #3  0x00000000004015e7 in main (argc=2, argv=0x7fffffffdf48) at matchpathcon.c:131
>         i = 32767
>         force_mode = 0
>         header = 1
>         opt = -1
>         verify = 0
>         notrans = 0
>         error = 0
>         quiet = 0
>         hnd = 0x7fffffffde20
>         options = {{type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, 
>             value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}}
>
>
> As a workaround, it's necessary to install SElinux policy
>
> toolbox$ sudo dnf install selinux-policy-targeted
> toolbox$ $ matchpathcon /abc                       
> /abc    system_u:object_r:etc_runtime_t:s0
>
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2295428


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-07-09 14:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-09 10:15 Regression in 5876aca0484f ("libselinux: free data on selabel open failure") Petr Lautrbach
2024-07-09 14:37 ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.