Re: Regression in 5876aca0484f ("libselinux: free data on selabel open failure")

Petr Lautrbach <lautrbach@xxxxxxxxxx> · Tue, 09 Jul 2024 16:37:31 +0200

Petr Lautrbach <lautrbach@xxxxxxxxxx> writes:

> Hello,
>
> Katerina Koukiou https://bugzilla.redhat.com/show_bug.cgi?id=2295428
> discovered a regression in libselinux [1] which can be demonstrated by
> running `matchpathcon` on a system with SELinux disabled and without any
> SELinux policy installed.
>
> Fedora reproducer:
>
> $ toolbox create
> $ toolbox enter
> toolbox$ matchpatchcon /abc
>
> Before 5876aca0484f:
>
> $ matchpathcon /abc
>   Error while opening file contexts database: No such file or directory
>
> After 5876aca0484f:
>
> $ matchpathcon /abc
> [1]    761709 segmentation fault (core dumped)  matchpathcon /abc
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
> warning: Source file is more recent than executable.
> 915                     free(spec->lr.ctx_trans);

The following patch fixes this particular problem:

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2732972e61cf..59c9f2ef3442 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -942,6 +942,7 @@ static void closef(struct selabel_handle *rec)
                free(last_area);
        }
        free(data);
+       rec->data = NULL;
 }
 
 // Finds all the matches of |key| in the given context. Returns the result in




> (gdb) bt full
> #0  0x00007ffff7f9a7b8 in closef (rec=0x405a10) at label_file.c:915
>         data = 0x405a80
>         area = 0x6ffffdf48
>         last_area = 0x7fffffffdc90
>         spec = 0x405
>         stem = 0x2
>         i = 0
> #1  0x00007ffff7f968b7 in selabel_close (rec=0x405a10) at label.c:364
> No locals.
> #2  0x00007ffff7f9648d in selabel_open (backend=0, opts=0x7fffffffdd80, nopts=6) at label.c:228
>         rec = 0x405a10
> #3  0x00000000004015e7 in main (argc=2, argv=0x7fffffffdf48) at matchpathcon.c:131
>         i = 32767
>         force_mode = 0
>         header = 1
>         opt = -1
>         verify = 0
>         notrans = 0
>         error = 0
>         quiet = 0
>         hnd = 0x7fffffffde20
>         options = {{type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}, {type = 0, 
>             value = 0x0}, {type = 0, value = 0x0}, {type = 0, value = 0x0}}
>
>
> As a workaround, it's necessary to install SElinux policy
>
> toolbox$ sudo dnf install selinux-policy-targeted
> toolbox$ $ matchpathcon /abc                       
> /abc    system_u:object_r:etc_runtime_t:s0
>
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2295428








