openssh bugs - Dec 2011 - [Bug 1960] New: Running sshd in wrong SELinux context causes segmentation fault when a user logs in

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

             Bug #: 1960
           Summary: Running sshd in wrong SELinux context causes
                    segmentation fault when a user logs in
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: amd64
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: sven.vermeulen at siphos.be


Created attachment 2119
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2119
Suggested one-line patch to fix this issue

On a SELinux-enabled Linux system (but running in permissive mode), if
the SSH daemon runs in the wrong context (for instance kernel_t) a
logon of a user through SSH causes the session to terminate abruptly
due to a segmentation fault. 

This is caused by not initializing the local variable "sc" in the
openbsd-compat/port-linux.c::ssh_selinux_getctxbyname() function. The
call to get_default_context() will result in the return code -1, but
"sc" is left untouched (and thus not a valid security_context_t
instance). Later in the function, "sc" is returned to the calling
function (which is ssh_selinux_setup_exec_context) which tries to free
the context through freecon(user_ctx).

This can be fixed by initializing sc to NULL to begin with (see line
59):

 55 /* Return the default security context for the given username */
 56 static security_context_t
 57 ssh_selinux_getctxbyname(char *pwname)
 58 {
 59         security_context_t sc = NULL;
 60         char *sename = NULL, *lvl = NULL;
 61         int r;

Because it is initialized to NULL, it will remain NULL if the context
of SSH is wrong, in which case there will be no attempt to freecon() it
in ssh_selinux_setup_exec_context. If the context is correct, "sc"
will
be updated to point to a proper security_context_t instance.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

--- Comment #1 from Damien Miller <djm at mindrot.org> 2012-02-24 11:32:25
EST ---
Created attachment 2134
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2134
selinux-getctxbyname-null.diff

set sc=NULL on failues too

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2134|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1930

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2134|                            |ok+
              Flags|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1960

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> 2012-03-09 10:25:44
EST ---
Patch applied - will be in the openssh-6.0 release due very soon.

Thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.