-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10, rhel-9.5
-
None
-
No
-
Important
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
When adding a directory to trust database, it appears that non-regular files are being processed as well, which causes any socket to crash the command with following backtrace:
Core was generated by `fapolicyd-cli --file add /tmp/ssh-XXXXivF3iA/'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77
77 VPCMP $0, (%rdi), %YMMZERO, %k0
(gdb) bt
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77
#1 0x00007f84ba26e6b8 in __vfprintf_internal (s=s@entry=0x7ffcea560d30,
format=format@entry=0x55af0ee43b27 "%s %s\n", ap=ap@entry=0x7ffcea560eb0, mode_flags=mode_flags@entry=2)
at vfprintf-internal.c:1647
#2 0x00007f84ba27ecca in __vsnprintf_internal (
string=0x7ffcea560fa0 "/tmp/ssh-XXXXivF3iA/agent.1288 4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87\n",
maxlen=<optimized out>, format=0x55af0ee43b27 "%s %s\n", args=args@entry=0x7ffcea560eb0, mode_flags=2)
at vsnprintf.c:114
#3 0x00007f84ba31bd05 in ___snprintf_chk (s=<optimized out>, maxlen=<optimized out>, flag=<optimized out>,
slen=<optimized out>, format=<optimized out>) at snprintf_chk.c:38
#4 0x000055af0ee3d54c in snprintf (__fmt=0x55af0ee43b27 "%s %s\n", __n=4176,
__s=0x7ffcea560fa0 "/tmp/ssh-XXXXivF3iA/agent.1288 4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87\n")
at /usr/include/bits/stdio2.h:54
#5 write_out_list (list=<optimized out>, dest=<optimized out>) at library/trust-file.c:159
#6 0x000055af0ee40d38 in trust_file_append (list=0x55af0ee4a540 <add_list>, fpath=<optimized out>)
at library/trust-file.c:183
#7 file_append (path=<optimized out>, fname=0x0) at cli/file-cli.c:113
#8 file_append (path=<optimized out>, fname=0x0) at cli/file-cli.c:92
#9 0x000055af0ee40f27 in do_file_add (argc=<optimized out>, argv=0x7ffcea5636e0) at cli/fapolicyd-cli.c:238
#10 0x000055af0ee3811a in do_manage_files (argv=0x7ffcea5636d8, argc=2) at cli/fapolicyd-cli.c:306
#11 main (argc=4, argv=0x7ffcea5636c8) at cli/fapolicyd-cli.c:924
Here below, we can see that lptr "data" field is 0 since it's a socket, instead of file content length:
(gdb) f 5
#5 write_out_list (list=<optimized out>, dest=<optimized out>) at library/trust-file.c:159
159 hlen = snprintf(buf, sizeof(buf), "%s %s\n", path, data + 2);
(gdb) p *lptr
$1 = {index = 0x55af1024f2f0, data = 0x0, next = 0x0}
Digging into the code, I can see that add_list_load_path() is not filtering on regular files at all (S_ISREG), line 87:
68 static int add_list_load_path(const char *path) 69 { : 84 if (S_ISDIR(sb.st_mode)) 85 nftw(path, &ftw_add_list_append, FTW_NOPENFD, FTW_FLAGS); 86 else 87 list_append(&add_list, strdup(path), NULL);
What is the impact of this issue to you?
Cannot easily add directory content to trust database
Please provide the package NVR for which the bug is seen:
RHEL8 and RHEL9
How reproducible is this bug?:
Always
Steps to reproduce
- Try adding a directory containing a socket, e.g. /tmp/ssh-XXXX* which contains /tmp/ssh-XXXX*/agent.XXX
Expected results
No crash
Actual results
Crash
- links to
