Bug#498684: openssh-server: sshd segfaults on system with badly configured SE Linux, ssh_selinux_getctxbyname() bug
Package: openssh-server
Version: 1:5.1p1-2
Severity: normal
Tags: patch
Hi,
while experimenting running sshd under bad SE Linux security context
I found, that it dies with the segmentation fault! This condition can
happen when someone builds and install SE Linux policy without
relabeling file system for example (/usr/sbin/sshd has old, now bad
context). The problem causes uninitialized variable in
ssh_selinux_getctxbyname().
The patch is attached and should be reported upstream probably.
There is how to reproduce the problem:
sid:~# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 23
Policy from config file: default
sid:~# chcon -t bin_t /usr/sbin/sshd
sid:~# ls -Z /usr/sbin/sshd
system_u:object_r:bin_t:s0 /usr/sbin/sshd
sid:~# /usr/sbin/sshd -oUsePrivilegeSeparation=no -d -p 2222
debug1: sshd version OpenSSH_5.1p1 Debian-2
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-oUsePrivilegeSeparation=no'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-p'
debug1: rexec_argv[4]='2222'
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 172.31.0.128 port 43786
debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-2
debug1: match: OpenSSH_5.1p1 Debian-2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-2
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user zito service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "zito"
debug1: PAM: setting PAM_RHOST to "xenbr0.localdomain"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for zito from 172.31.0.128 port 43786 ssh2
debug1: userauth-request for user zito service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/zito/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/zito/.ssh/authorized_keys, line 2
Found matching RSA key: 8f:23:fc:1f:01:49:a7:f8:93:f5:c0:bb:d2:fa:81:36
debug1: restore_uid: 0/0
Postponed publickey for zito from 172.31.0.128 port 43786 ssh2
debug1: userauth-request for user zito service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/zito/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/zito/.ssh/authorized_keys, line 2
Found matching RSA key: 8f:23:fc:1f:01:49:a7:f8:93:f5:c0:bb:d2:fa:81:36
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for zito from 172.31.0.128 port 43786 ssh2
debug1: PAM: establishing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request x11-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug1: channel 1: new [X11 inet listener]
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request auth-agent-req@openssh.com reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req auth-agent-req@openssh.com
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug1: channel 3: new [auth socket]
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: SELinux support enabled
ssh_selinux_getctxbyname: Failed to get default SELinux security context for zito
Segmentation fault
Thanks.
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.23 Debian configuration management sy
ii dpkg 1.14.22 Debian package management system
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcomerr2 1.41.1-3 common error description library
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-4 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-4 Runtime support for the PAM librar
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libselinux1 2.0.65-4 SELinux shared libraries
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-2 secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- debconf information excluded
--- openssh-5.1p1.orig/openbsd-compat/port-linux.c 2008-09-12 10:57:57.000000000 +0200
+++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-09-12 10:22:20.000000000 +0200
@@ -69,7 +69,7 @@
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
- security_context_t sc;
+ security_context_t sc = NULL;
char *sename = NULL, *role = NULL, *lvl = NULL;
int r;
Reply to: