FYI, rawhide makes /usr/bin/install (matchpathcon) segfault

Jim Meyering jim at meyering.net
Wed Sep 7 08:01:44 UTC 2011 

I was getting ready to release coreutils-8.13, after two pre-release snapshots,

    http://thread.gmane.org/gmane.comp.gnu.coreutils.general/1554
    http://thread.gmane.org/gmane.comp.gnu.coreutils.general/1631

when I went to make sure its tests all pass also on rawhide.
I test that regularly, and they've all been passing (of course), so I
didn't expect any surprises.  I certainly didn't expect 7 failures,
and never something as basic as this:

    $ touch a
    $ env -i /usr/bin/install a b
    zsh: segmentation fault  env -i /usr/bin/install a b
    [Exit 139 (SEGV)]

[the "env -i " prefix is just to ensure that none of my MALLOC_DEBUG_
 or MALLOC_PERTURB_ settings (or any other envvar) is causing trouble. ]

gdb shows that it's officially a NULL-deref, but says there's a
"Corrupted DWARF expression", probably discovered in read_sleb128:

    $ env -i gdb -q --args /usr/bin/install a b
    Reading symbols from /usr/bin/install...Reading symbols from /usr/lib/debug/usr/bin/install.debug...done.
    done.
    (gdb) r
    Starting program: /usr/bin/install a b
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    1179      while (*__s == __sep)
    (gdb) p __s
    $1 = 0x0
    (gdb) bt
    #0  __strtok_r_1c (__nextp=read_sleb128: Corrupted DWARF expression.
    ) at /usr/include/bits/string2.h:1179
    #1  init (rec=0x626930, opts=0x7ffff7fe2718, n=<optimized out>)
        at label_file.c:440
    #2  0x00007ffff7bc4b3d in selabel_open (backend=0, opts=0x7ffff7fe2718,
        nopts=5) at label.c:165
    #3  0x00007ffff7bc3e16 in matchpathcon_init_prefix_internal (path=0x0,
        subset=0x0) at matchpathcon.c:321
    #4  0x00007ffff7bc40a9 in matchpathcon (path=0x7fffffffefbf "b", mode=33261,
        con=0x7fffffffeb98) at matchpathcon.c:406
    #5  0x000000000040452f in setdefaultfilecon (file=0x7fffffffefbf "b")
        at install.c:345
    #6  change_attributes (name=0x7fffffffefbf "b") at install.c:471
    #7  install_file_in_file (from=<optimized out>, to=0x7fffffffefbf "b",
        x=<optimized out>) at install.c:672
    #8  0x0000000000403cd6 in main (argc=<optimized out>, argv=<optimized out>)
        at install.c:978
    (gdb)

So install is just the messenger, since it's calling libselinux's
matchpathcon function, in which all of this is happening.
Given the dwarf corruption, libselinux may be a messenger, too,
but for now, I've just put all this in a BZ:

  http://bugzilla.redhat.com/736259

This seems so fundamental that I have to wonder if it's
something specific to my own set-up...

More information about the devel mailing list