Bug #9645

Updated by Andrew Stormont about 3 years ago

Enabling scf_read_propvec walks the auditset service on a machine that doesn't have auditd installed causes it prop vector setting the addresses for certain property types (such as opaque and astring, since they are dynamically sized) and sets them to core dump and enter maintenance mode.    From looking at the stack trace we see NULL. On error it dumping in free, calls scf_clean_propvec which checks the addresses before freeing them and skips over any set to NULL. The problem is being that in some failure scenarios this is called by scf_clean_propvec. before the addresses have been initialized, causing a segfault. 

 # pstack /var/cores/core.svc-auditset.6995 
 core '/var/cores/core.svc-auditset.6995' of 6995:         /lib/svc/method/svc-auditset 
  fee59f9c _free_unlocked (8062000, 8047c4c, 73, 8062000, fe9fd000, fe93d900) + 24 
  fee5a3df free       (8062000, fe9fd000, 3eb, 80632a0, 8047ca0, fefbe010) + 45 
  fe9da6a7 scf_clean_propvec (fe93d900, fe9247f2, 0, 80623a8, 80623c8, 8062368) + 8c 
  fe9daada scf_read_propvec (fe9247f2, fe9248b0, 0, fe93d900, 8047d5c, 0) + 418 
  fe9199a0 get_val_scf (fe93d900, fe9248b0, 5, 8047dbc, 0, 8047e20) + 47 
  fe91a97c do_getflags_scf (8047dbc, 8047db8, 0, 8051820, 8062000, 805126e) + 5d 
  080516f9 main       (1, 8047e20, 8047e28, 8051363, 0, 0) + 128 
  08051388 _start_crt (1, 8047e20, fefcf363, 0, 0, 0) + 97 
  0805125a _start     (1, 8047ed0, 0, 8047eed, 8047f0f, 8047f20) + 1a 

 Looking at the source we can see that scf_clean_propvec is called unconditionally on error, and in some cases it is called before the property vector has been initialised.    When this happens free is called on bogus values. 

 Moving the block of code that initialised the property vector further up causes the problem to go away and exposes the real problem.    Now the service fails with "entity not found" while looking up auditd.