| Summary: | Running sshd in wrong SELinux context causes segmentation fault when a user logs in | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Sven Vermeulen <sven.vermeulen> | ||||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | minor | CC: | djm | ||||||
| Priority: | P2 | ||||||||
| Version: | 5.8p1 | ||||||||
| Hardware: | amd64 | ||||||||
| OS: | Linux | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 1930 | ||||||||
| Attachments: |
|
||||||||
Created attachment 2134 [details]
selinux-getctxbyname-null.diff
set sc=NULL on failues too
Patch applied - will be in the openssh-6.0 release due very soon. Thanks! Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 |
Created attachment 2119 [details] Suggested one-line patch to fix this issue On a SELinux-enabled Linux system (but running in permissive mode), if the SSH daemon runs in the wrong context (for instance kernel_t) a logon of a user through SSH causes the session to terminate abruptly due to a segmentation fault. This is caused by not initializing the local variable "sc" in the openbsd-compat/port-linux.c::ssh_selinux_getctxbyname() function. The call to get_default_context() will result in the return code -1, but "sc" is left untouched (and thus not a valid security_context_t instance). Later in the function, "sc" is returned to the calling function (which is ssh_selinux_setup_exec_context) which tries to free the context through freecon(user_ctx). This can be fixed by initializing sc to NULL to begin with (see line 59): 55 /* Return the default security context for the given username */ 56 static security_context_t 57 ssh_selinux_getctxbyname(char *pwname) 58 { 59 security_context_t sc = NULL; 60 char *sename = NULL, *lvl = NULL; 61 int r; Because it is initialized to NULL, it will remain NULL if the context of SSH is wrong, in which case there will be no attempt to freecon() it in ssh_selinux_setup_exec_context. If the context is correct, "sc" will be updated to point to a proper security_context_t instance.