[Bug 1960] New: Running sshd in wrong SELinux context causes segmentation fault when a user logs in

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Dec 14 07:53:56 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1960

             Bug #: 1960
           Summary: Running sshd in wrong SELinux context causes
                    segmentation fault when a user logs in
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: amd64
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: sven.vermeulen at siphos.be


Created attachment 2119
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2119
Suggested one-line patch to fix this issue

On a SELinux-enabled Linux system (but running in permissive mode), if
the SSH daemon runs in the wrong context (for instance kernel_t) a
logon of a user through SSH causes the session to terminate abruptly
due to a segmentation fault. 

This is caused by not initializing the local variable "sc" in the
openbsd-compat/port-linux.c::ssh_selinux_getctxbyname() function. The
call to get_default_context() will result in the return code -1, but
"sc" is left untouched (and thus not a valid security_context_t
instance). Later in the function, "sc" is returned to the calling
function (which is ssh_selinux_setup_exec_context) which tries to free
the context through freecon(user_ctx).

This can be fixed by initializing sc to NULL to begin with (see line
59):

 55 /* Return the default security context for the given username */
 56 static security_context_t
 57 ssh_selinux_getctxbyname(char *pwname)
 58 {
 59         security_context_t sc = NULL;
 60         char *sename = NULL, *lvl = NULL;
 61         int r;

Because it is initialized to NULL, it will remain NULL if the context
of SSH is wrong, in which case there will be no attempt to freecon() it
in ssh_selinux_setup_exec_context. If the context is correct, "sc" will
be updated to point to a proper security_context_t instance.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list