[Bug 1960] New: Running sshd in wrong SELinux context causes segmentation fault when a user logs in
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Dec 14 07:53:56 EST 2011
https://bugzilla.mindrot.org/show_bug.cgi?id=1960
Bug #: 1960
Summary: Running sshd in wrong SELinux context causes
segmentation fault when a user logs in
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p1
Platform: amd64
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: sven.vermeulen at siphos.be
Created attachment 2119
--> https://bugzilla.mindrot.org/attachment.cgi?id=2119
Suggested one-line patch to fix this issue
On a SELinux-enabled Linux system (but running in permissive mode), if
the SSH daemon runs in the wrong context (for instance kernel_t) a
logon of a user through SSH causes the session to terminate abruptly
due to a segmentation fault.
This is caused by not initializing the local variable "sc" in the
openbsd-compat/port-linux.c::ssh_selinux_getctxbyname() function. The
call to get_default_context() will result in the return code -1, but
"sc" is left untouched (and thus not a valid security_context_t
instance). Later in the function, "sc" is returned to the calling
function (which is ssh_selinux_setup_exec_context) which tries to free
the context through freecon(user_ctx).
This can be fixed by initializing sc to NULL to begin with (see line
59):
55 /* Return the default security context for the given username */
56 static security_context_t
57 ssh_selinux_getctxbyname(char *pwname)
58 {
59 security_context_t sc = NULL;
60 char *sename = NULL, *lvl = NULL;
61 int r;
Because it is initialized to NULL, it will remain NULL if the context
of SSH is wrong, in which case there will be no attempt to freecon() it
in ssh_selinux_setup_exec_context. If the context is correct, "sc" will
be updated to point to a proper security_context_t instance.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list