scf_read_propvec segfaults on error
Enabling the auditset service on a machine that doesn't have auditd installed causes it to core dump and enter maintenance mode. From looking at the stack trace we see it dumping in free, which is being called by scf_clean_propvec.
# pstack /var/cores/core.svc-auditset.6995 core '/var/cores/core.svc-auditset.6995' of 6995: /lib/svc/method/svc-auditset fee59f9c _free_unlocked (8062000, 8047c4c, 73, 8062000, fe9fd000, fe93d900) + 24 fee5a3df free (8062000, fe9fd000, 3eb, 80632a0, 8047ca0, fefbe010) + 45 fe9da6a7 scf_clean_propvec (fe93d900, fe9247f2, 0, 80623a8, 80623c8, 8062368) + 8c fe9daada scf_read_propvec (fe9247f2, fe9248b0, 0, fe93d900, 8047d5c, 0) + 418 fe9199a0 get_val_scf (fe93d900, fe9248b0, 5, 8047dbc, 0, 8047e20) + 47 fe91a97c do_getflags_scf (8047dbc, 8047db8, 0, 8051820, 8062000, 805126e) + 5d 080516f9 main (1, 8047e20, 8047e28, 8051363, 0, 0) + 128 08051388 _start_crt (1, 8047e20, fefcf363, 0, 0, 0) + 97 0805125a _start (1, 8047ed0, 0, 8047eed, 8047f0f, 8047f20) + 1a
Looking at the source we can see that scf_clean_propvec is called unconditionally on error, and in some cases it is called before the property vector has been initialised. When this happens free is called on bogus values.
Moving the block of code that initialised the property vector further up causes the problem to go away and exposes the real problem. Now the service fails with "entity not found" while looking up auditd.
Updated by Electric Monk about 3 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit e6ccb06dae563daedbe76eeadbdd3940a4e4f693 Author: Andrew Stormont <email@example.com> Date: 2018-08-07T01:12:54.000Z 9645 scf_read_propvec segfaults on error Reviewed by: Vitaliy Gusev <firstname.lastname@example.org> Reviewed by: Toomas Soome <email@example.com> Reviewed by: Yuri Pankov <firstname.lastname@example.org> Approved by: Robert Mustacchi <email@example.com>