Created attachment 2119 [details] Suggested one-line patch to fix this issue On a SELinux-enabled Linux system (but running in permissive mode), if the SSH daemon runs in the wrong context (for instance kernel_t) a logon of a user through SSH causes the session to terminate abruptly due to a segmentation fault. This is caused by not initializing the local variable "sc" in the openbsd-compat/port-linux.c::ssh_selinux_getctxbyname() function. The call to get_default_context() will result in the return code -1, but "sc" is left untouched (and thus not a valid security_context_t instance). Later in the function, "sc" is returned to the calling function (which is ssh_selinux_setup_exec_context) which tries to free the context through freecon(user_ctx). This can be fixed by initializing sc to NULL to begin with (see line 59): 55 /* Return the default security context for the given username */ 56 static security_context_t 57 ssh_selinux_getctxbyname(char *pwname) 58 { 59 security_context_t sc = NULL; 60 char *sename = NULL, *lvl = NULL; 61 int r; Because it is initialized to NULL, it will remain NULL if the context of SSH is wrong, in which case there will be no attempt to freecon() it in ssh_selinux_setup_exec_context. If the context is correct, "sc" will be updated to point to a proper security_context_t instance.
Created attachment 2134 [details] selinux-getctxbyname-null.diff set sc=NULL on failues too
Patch applied - will be in the openssh-6.0 release due very soon. Thanks!
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1