Bug#939998: marked as done (systemd-logind: Assert due to insufficient function return checks)

Sat, 09 Nov 2019 12:39:42 -0800 

Your message dated Sat, 09 Nov 2019 20:35:52 +0000
with message-id <[email protected]>
and subject line Bug#939998: fixed in systemd 241-7~deb10u2
has caused the Debian Bug report #939998,
regarding systemd-logind: Assert due to insufficient function return checks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
939998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: systemd
Source-Version: 241-7~deb10u1
Severity: important
Tags: upstream patch buster

Hi!

We hit an assert in logind from the latest systemd package in buster:

  systemd-logind coredumped: in log_assert_failed_realm  ... at 
../src/basic/log.c:795

Investiaging from the following stack trace:

,---
# gdb -c 
core.systemd-logind.0.4c92c46cf794487eb1df36acdfa8d37e.363.1568024520000000 
/lib/systemd/systemd-logind
[…]
Reading symbols from /lib/systemd/systemd-logind...Reading symbols from 
/usr/lib/debug/.build-id/67/1f5fd985d111ef7cca8db8d01c5175738b0ec6.debug...done.
done.
[New LWP 363]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/lib/systemd/systemd-logind'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {8589950979, 0, 17179869308, 0, 0, 0, 4096, 255, 
18446744073709551615, 0, 1024, 140109258535907, 4294967295, 4096, 
94012397244720, 140109259796384}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007f6dba8f9535 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x5580f5dcb87e, sa_sigaction 
= 0x5580f5dcb87e}, sa_mask = {__val = {17, 94012397097648, 
13205360909752802304, 206158430240, 94012369043465, 2943, 94012369067104, 2, 
94012369067104, 
              94012397040272, 140109256346163, 0, 0, 0, 140109257989088, 
94012369057967}}, sa_flags = 0, sa_restorer = 0x5580f5dcb8af}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f6dba69508a in log_assert_failed_realm (realm=<optimized out>, 
text=0x5580f5dcb8af "pid > 1", file=0x5580f5dc8009 
"../src/login/logind-dbus.c", line=2943, func=0x5580f5dcdc60 
<__PRETTY_FUNCTION__.15284> "manager_start_scope")
    at ../src/basic/log.c:795
No locals.
#3  0x00005580f5dbc282 in manager_start_scope (job=0x5580f7889330, 
error=0x7ffe8737fb60, more_properties=0x5580f78c1820, 
requires_mounts_for=0x5580f787ceb0 "/root", after=0x7ffe8737f970, 
wants=0x7ffe8737f950, 
    description=0x7ffe8737f8d0 "Session 342 of user root", slice=0x5580f787b290 
"user-0.slice", pid=0, scope=0x5580f78ad360 "session-342.scope", 
manager=0x5580f7865c50) at ../src/login/logind-session.c:638
        m = 0x0
        reply = 0x0
        i = <optimized out>
        r = <optimized out>
        m = <optimized out>
        reply = <optimized out>
        i = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
#4  session_start_scope (s=s@entry=0x5580f78892b0, 
properties=properties@entry=0x5580f78c1820, error=error@entry=0x7ffe8737fb60) 
at ../src/login/logind-session.c:640
        scope = <optimized out>
        description = 0x7ffe8737f8d0 "Session 342 of user root"
        _ptr_ = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "session_start_scope"
        __func__ = "session_start_scope"
        _ptr_ = <optimized out>
#5  0x00005580f5dc2a6d in session_start (s=<optimized out>, 
properties=<optimized out>, error=<optimized out>, s=<optimized out>, 
properties=<optimized out>, error=<optimized out>) at 
../src/login/logind-session.c:682
        r = <optimized out>
        r = <optimized out>
        __func__ = "session_start"
        __PRETTY_FUNCTION__ = "session_start"
#6  0x00005580f5db4f1a in method_create_session (message=0x5580f78c1820, 
userdata=<optimized out>, error=0x7ffe8737fb60) at 
../src/login/logind-dbus.c:860
        service = 0x5580f787e9d4 "sshd"
        type = 0x5580f787e9e0 "tty"
        class = 0x5580f787e9e8 "user"
        cseat = 0x5580f787e9fc ""
        tty = 0x5580f787ea08 ""
        display = 0x5580f787ea10 ""
        remote_user = 0x5580f787ea1c ""
        remote_host = 0x5580f787ea24 "<…REDACTED…>"
        desktop = 0x0
        id = 0x5580f78b82b0 "342"
        session = 0x5580f78892b0
        audit_id = 342
        m = <optimized out>
        user = 0x5580f78a2490
        seat = <optimized out>
        leader = 2973
        uid = 0
        remote = 1
        vtnr = 0
        t = <optimized out>
        c = SESSION_USER
        r = 1
        __PRETTY_FUNCTION__ = "method_create_session"
        __func__ = "method_create_session"
#7  0x00007f6dba708767 in method_callbacks_run (found_object=0x7ffe8737fc17, 
require_fallback=<optimized out>, c=<optimized out>, m=0x5580f78c1820, 
bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/bus-objects.c:403
        slot = 0x5580f786abf0
        error = {name = 0x0, message = 0x0, _need_free = 0}
        signature = <optimized out>
        u = 0x5580f7865c50
        r = <optimized out>
        error = <optimized out>
        signature = <optimized out>
        u = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        slot = <optimized out>
        __unique_prefix_A8 = <optimized out>
#8  object_find_and_run (bus=0x5580f7868c00, m=0x5580f78c1820, p=<optimized 
out>, require_fallback=false, found_object=0x7ffe8737fc17) at 
../src/libsystemd/sd-bus/bus-objects.c:1266
        n = 0x5580f786aba0
        vtable_key = {path = 0x5580f787e928 "/org/freedesktop/login1", 
interface = 0x5580f787e960 "org.freedesktop.login1.Manager", member = 
0x5580f787e948 "CreateSession", parent = 0x5580f7868c88, last_iteration = 
4152790016, 
          vtable = 0x5580f7868c88}
        v = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "object_find_and_run"
#9  0x00007f6dba6ff809 in bus_process_object (bus=0x5580f7868c00, 
m=0x5580f78c1820) at ../src/libsystemd/sd-bus/bus-objects.c:1386
        prefix = <optimized out>
        r = <optimized out>
        pl = <optimized out>
        found_object = true
        __PRETTY_FUNCTION__ = "bus_process_object"
#10 0x00007f6dba6f4014 in process_message (m=0x5580f78c1820, 
bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/sd-bus.c:2703
        r = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        __func__ = <optimized out>
        _mm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#11 process_running (ret=0x0, priority=0, hint_priority=false, 
bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/sd-bus.c:2745
        m = 0x5580f78c1820
        r = 1
        m = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        __func__ = <optimized out>
        _found = <optimized out>
        _ptr_ = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#12 bus_process_internal (bus=bus@entry=0x5580f7868c00, 
hint_priority=hint_priority@entry=false, priority=priority@entry=0, 
ret=ret@entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:2963
        r = <optimized out>
        __PRETTY_FUNCTION__ = "bus_process_internal"
        _dont_destroy_bus = 0x5580f7868c00
#13 0x00007f6dba6f424c in sd_bus_process (bus=bus@entry=0x5580f7868c00, 
ret=ret@entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:2990
No locals.
#14 0x00007f6dba6f4318 in io_callback (s=<optimized out>, fd=<optimized out>, 
revents=<optimized out>, userdata=<optimized out>, s=<optimized out>, 
fd=<optimized out>, revents=<optimized out>, userdata=<optimized out>)
    at ../src/libsystemd/sd-bus/sd-bus.c:3341
        bus = 0x5580f7868c00
        r = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        bus = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "io_callback"
        __func__ = "io_callback"
#15 0x00007f6dba6c4e50 in source_dispatch (s=s@entry=0x5580f7872b70) at 
../src/libsystemd/sd-event/sd-event.c:2821
        saved_type = SOURCE_IO
        r = <optimized out>
        __PRETTY_FUNCTION__ = "source_dispatch"
        __func__ = "source_dispatch"
#16 0x00007f6dba6c5141 in sd_event_dispatch (e=e@entry=0x5580f7866e50) at 
../src/libsystemd/sd-event/sd-event.c:3234
        ref = <optimized out>
        p = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "sd_event_dispatch"
#17 0x00007f6dba6c5308 in sd_event_run (e=0x5580f7866e50, 
timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3291
        r = 1
        __PRETTY_FUNCTION__ = "sd_event_run"
#18 0x00005580f5daa6ed in manager_run (m=0x5580f7865c50) at 
../src/login/logind.c:1187
        r = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
#19 run (argv=<optimized out>, argc=<optimized out>) at 
../src/login/logind.c:1235
        m = <optimized out>
        r = <optimized out>
        m = <optimized out>
        r = <optimized out>
        __func__ = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#20 main (argc=<optimized out>, argv=<optimized out>) at 
../src/login/logind.c:1245
        r = <optimized out>
(gdb) 
`---

We can see that the pid in the assert comes from the s->leader as
passed to manager_start_scope() in its pid argument. The s->leader
gets assigned in method_create_session(), via a session_set_leader()
call, after having been previously initialized as a stack variable
and validated.

But the session_set_leader() call can fail in its hashmap_put()
function, but the call site does not check for any error code.


Checking then upstream's master I noticed this has already been fixed
there! Attached the upstream patch fixing this. And I've set this only
as important, but it might deserve being serious perhaps? Up to you.

Thanks,
Guillem

From fe3ab8458b9c0ead4b3e14ac25b342d8c34376fe Mon Sep 17 00:00:00 2001
From: Yu Watanabe <[email protected]>
Date: Thu, 14 Feb 2019 10:59:13 +0900
Subject: [PATCH] login: add a missing error check for session_set_leader()

session_set_leader() may fail. If it fails, then manager_start_scope()
will trigger assertion.

This may be related to RHBZ#1663704.
---
 src/login/logind-dbus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 8ab498fdc2..b9ea370ec0 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -790,7 +790,9 @@ static int method_create_session(sd_bus_message *message, void *userdata, sd_bus
                 goto fail;
 
         session_set_user(session, user);
-        session_set_leader(session, leader);
+        r = session_set_leader(session, leader);
+        if (r < 0)
+                goto fail;
 
         session->type = t;
         session->class = c;
-- 
2.23.0.237.gc6a4ce50a0

--- End Message ---
--- Begin Message --- 
Source: systemd
Source-Version: 241-7~deb10u2

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <[email protected]> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 16 Oct 2019 15:24:54 +0200
Source: systemd
Architecture: source
Version: 241-7~deb10u2
Distribution: buster
Urgency: medium
Maintainer: Debian systemd Maintainers 
<[email protected]>
Changed-By: Michael Biebl <[email protected]>
Closes: 934589 935091 936032 939353 939408 939551 939998 941758
Changes:
 systemd (241-7~deb10u2) buster; urgency=medium
 .
   * core: never propagate reload failure to service result.
     Fixes a regression introduced in v239 where the main process of a
     service unit gets killed on reload if ExecReload fails. (Closes: #936032)
   * shared/seccomp: add sync_file_range2.
     Some architectures need the arguments to be reordered because of alignment
     issues. Otherwise, it's the same as sync_file_range.
     Fixes sync_file_range failures in nspawn containers on arm, ppc.
     (Closes: #935091)
   * core: factor root_directory application out of apply_working_directory.
     Fixes RootDirectory not working when used in combination with User.
     (Closes: #939408)
   * shared/bus-util: drop trusted annotation from
     bus_open_system_watch_bind_with_description().
     This ensures that access controls on systemd-resolved's D-Bus interface
     are enforced properly.
     (CVE-2019-15718, Closes: #939353)
   * login: add a missing error check for session_set_leader()
     Fixes assertion due to insufficient function return check.
     (Closes: #939998)
   * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices
     (Closes: #934589)
   * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by 
user-space
   * namespace: make MountFlags=shared work again (Closes: #939551)
   * mount/generators: do not make unit wanted by its device unit.
     Among other things, this fixes StopWhenUnneeded=true being broken for
     mount units. (Closes: #941758)
Checksums-Sha1:
 96f1587f187e216bfc1e2ef0368e7d4d844ebf04 4946 systemd_241-7~deb10u2.dsc
 9361c2d34b99d018cc362c5240c655575e85c661 167956 
systemd_241-7~deb10u2.debian.tar.xz
 97d7a846bb254b64cbf634fcf339cf2f3f286458 9526 
systemd_241-7~deb10u2_source.buildinfo
Checksums-Sha256:
 b31ef8786d0b9ebb8a66d8921fbe19233d968e35ca1678d665c1b37117878386 4946 
systemd_241-7~deb10u2.dsc
 8462a1fb3bea0f771112eb96e161c940212a7fffbef26a204ff4c5e91b428fca 167956 
systemd_241-7~deb10u2.debian.tar.xz
 7056fcd8463c486b22b66d9080ea3cf2b40995a21f5c5eed1badbc4f78158ea4 9526 
systemd_241-7~deb10u2_source.buildinfo
Files:
 28994561e62f4c12aca0ae40b3aca40b 4946 admin optional systemd_241-7~deb10u2.dsc
 c22f4f32759de0c4e7c8db7a5c9d9e62 167956 admin optional 
systemd_241-7~deb10u2.debian.tar.xz
 7ef5feed3ef6c6a3979fc09ee20a0433 9526 admin optional 
systemd_241-7~deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAl3DRb0ACgkQauHfDWCP
ItzvoBAAgGlCq7FP+0VUaW5Zqcx8xZQUevTnL31N5vq2gI2g20iQcXg4ooRpH+Gh
V73Ypfvyu5nA0gfm5eK0eK5WOovassPDEMGhBIFxofAfpV2ec3XKBjz6EngXs6dY
SYZznPzL+ZEaHmOgqKCjfyNXR2T5qBlO1cBQTpo7ckhy2fEx2jTcWtpJmgqrUkiD
eKMIlSZtjwKiusuCWlkKh7IW6UHiKcrJ+yKpcOJ90Yj8PMN85tFFieERizVQEYyF
O/rTRw380xB5NdHj55/Pn9SFRN18eQ/r0f7qlBGrgA88a9m4czc9bx42hZ8SZ+Z7
ECh0Ab3iyUbZwwM4zRg9s0EXN5hdecw3my92KaCtDrk2HYuGSWT3IA5iubhj5VNw
BfCUz3eQ3VGNfDoqNb3fQMGq+L05mrs8SCDRV9jiuJ7Ts6AsDbo+eK1ose2wxJ77
7VMxU8pXJKstFkFYlQYc10NybtdvhNNThETWSQVYTq0L2R0tMZcfOmd2Z9sow/Gl
L+/WiodLC61aZvQyQRkKlHBJFqzOdZVVBsPrsn8ZSFvEPL9Ik7/hoEKHSPNes5WF
9A/ZERFeIVWDpQWZev/11FmHYBfAHvNp313vy01aJkOUPu3cyB9Ih/74MQWQYbME
pZt13uulQD1M2P4vAOvFLHGdANbKbA/6n8XGifZrufTg2JKC1iA=
=NIGQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to