Bug#939998: systemd-logind: Assert due to insufficient function return checks

Guillem Jover gjover at sipwise.com
Tue Sep 10 23:12:45 BST 2019


Source: systemd
Source-Version: 241-7~deb10u1
Severity: important
Tags: upstream patch buster

Hi!

We hit an assert in logind from the latest systemd package in buster:

  systemd-logind coredumped: in log_assert_failed_realm  ... at ../src/basic/log.c:795

Investiaging from the following stack trace:

,---
# gdb -c core.systemd-logind.0.4c92c46cf794487eb1df36acdfa8d37e.363.1568024520000000 /lib/systemd/systemd-logind
[…]
Reading symbols from /lib/systemd/systemd-logind...Reading symbols from /usr/lib/debug/.build-id/67/1f5fd985d111ef7cca8db8d01c5175738b0ec6.debug...done.
done.
[New LWP 363]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/lib/systemd/systemd-logind'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {8589950979, 0, 17179869308, 0, 0, 0, 4096, 255, 18446744073709551615, 0, 1024, 140109258535907, 4294967295, 4096, 94012397244720, 140109259796384}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007f6dba8f9535 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x5580f5dcb87e, sa_sigaction = 0x5580f5dcb87e}, sa_mask = {__val = {17, 94012397097648, 13205360909752802304, 206158430240, 94012369043465, 2943, 94012369067104, 2, 94012369067104, 
              94012397040272, 140109256346163, 0, 0, 0, 140109257989088, 94012369057967}}, sa_flags = 0, sa_restorer = 0x5580f5dcb8af}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f6dba69508a in log_assert_failed_realm (realm=<optimized out>, text=0x5580f5dcb8af "pid > 1", file=0x5580f5dc8009 "../src/login/logind-dbus.c", line=2943, func=0x5580f5dcdc60 <__PRETTY_FUNCTION__.15284> "manager_start_scope")
    at ../src/basic/log.c:795
No locals.
#3  0x00005580f5dbc282 in manager_start_scope (job=0x5580f7889330, error=0x7ffe8737fb60, more_properties=0x5580f78c1820, requires_mounts_for=0x5580f787ceb0 "/root", after=0x7ffe8737f970, wants=0x7ffe8737f950, 
    description=0x7ffe8737f8d0 "Session 342 of user root", slice=0x5580f787b290 "user-0.slice", pid=0, scope=0x5580f78ad360 "session-342.scope", manager=0x5580f7865c50) at ../src/login/logind-session.c:638
        m = 0x0
        reply = 0x0
        i = <optimized out>
        r = <optimized out>
        m = <optimized out>
        reply = <optimized out>
        i = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
#4  session_start_scope (s=s at entry=0x5580f78892b0, properties=properties at entry=0x5580f78c1820, error=error at entry=0x7ffe8737fb60) at ../src/login/logind-session.c:640
        scope = <optimized out>
        description = 0x7ffe8737f8d0 "Session 342 of user root"
        _ptr_ = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "session_start_scope"
        __func__ = "session_start_scope"
        _ptr_ = <optimized out>
#5  0x00005580f5dc2a6d in session_start (s=<optimized out>, properties=<optimized out>, error=<optimized out>, s=<optimized out>, properties=<optimized out>, error=<optimized out>) at ../src/login/logind-session.c:682
        r = <optimized out>
        r = <optimized out>
        __func__ = "session_start"
        __PRETTY_FUNCTION__ = "session_start"
#6  0x00005580f5db4f1a in method_create_session (message=0x5580f78c1820, userdata=<optimized out>, error=0x7ffe8737fb60) at ../src/login/logind-dbus.c:860
        service = 0x5580f787e9d4 "sshd"
        type = 0x5580f787e9e0 "tty"
        class = 0x5580f787e9e8 "user"
        cseat = 0x5580f787e9fc ""
        tty = 0x5580f787ea08 ""
        display = 0x5580f787ea10 ""
        remote_user = 0x5580f787ea1c ""
        remote_host = 0x5580f787ea24 "<…REDACTED…>"
        desktop = 0x0
        id = 0x5580f78b82b0 "342"
        session = 0x5580f78892b0
        audit_id = 342
        m = <optimized out>
        user = 0x5580f78a2490
        seat = <optimized out>
        leader = 2973
        uid = 0
        remote = 1
        vtnr = 0
        t = <optimized out>
        c = SESSION_USER
        r = 1
        __PRETTY_FUNCTION__ = "method_create_session"
        __func__ = "method_create_session"
#7  0x00007f6dba708767 in method_callbacks_run (found_object=0x7ffe8737fc17, require_fallback=<optimized out>, c=<optimized out>, m=0x5580f78c1820, bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/bus-objects.c:403
        slot = 0x5580f786abf0
        error = {name = 0x0, message = 0x0, _need_free = 0}
        signature = <optimized out>
        u = 0x5580f7865c50
        r = <optimized out>
        error = <optimized out>
        signature = <optimized out>
        u = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        slot = <optimized out>
        __unique_prefix_A8 = <optimized out>
#8  object_find_and_run (bus=0x5580f7868c00, m=0x5580f78c1820, p=<optimized out>, require_fallback=false, found_object=0x7ffe8737fc17) at ../src/libsystemd/sd-bus/bus-objects.c:1266
        n = 0x5580f786aba0
        vtable_key = {path = 0x5580f787e928 "/org/freedesktop/login1", interface = 0x5580f787e960 "org.freedesktop.login1.Manager", member = 0x5580f787e948 "CreateSession", parent = 0x5580f7868c88, last_iteration = 4152790016, 
          vtable = 0x5580f7868c88}
        v = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "object_find_and_run"
#9  0x00007f6dba6ff809 in bus_process_object (bus=0x5580f7868c00, m=0x5580f78c1820) at ../src/libsystemd/sd-bus/bus-objects.c:1386
        prefix = <optimized out>
        r = <optimized out>
        pl = <optimized out>
        found_object = true
        __PRETTY_FUNCTION__ = "bus_process_object"
#10 0x00007f6dba6f4014 in process_message (m=0x5580f78c1820, bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/sd-bus.c:2703
        r = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        __func__ = <optimized out>
        _mm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#11 process_running (ret=0x0, priority=0, hint_priority=false, bus=0x5580f7868c00) at ../src/libsystemd/sd-bus/sd-bus.c:2745
        m = 0x5580f78c1820
        r = 1
        m = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        __func__ = <optimized out>
        _found = <optimized out>
        _ptr_ = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#12 bus_process_internal (bus=bus at entry=0x5580f7868c00, hint_priority=hint_priority at entry=false, priority=priority at entry=0, ret=ret at entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:2963
        r = <optimized out>
        __PRETTY_FUNCTION__ = "bus_process_internal"
        _dont_destroy_bus = 0x5580f7868c00
#13 0x00007f6dba6f424c in sd_bus_process (bus=bus at entry=0x5580f7868c00, ret=ret at entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:2990
No locals.
#14 0x00007f6dba6f4318 in io_callback (s=<optimized out>, fd=<optimized out>, revents=<optimized out>, userdata=<optimized out>, s=<optimized out>, fd=<optimized out>, revents=<optimized out>, userdata=<optimized out>)
    at ../src/libsystemd/sd-bus/sd-bus.c:3341
        bus = 0x5580f7868c00
        r = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        bus = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "io_callback"
        __func__ = "io_callback"
#15 0x00007f6dba6c4e50 in source_dispatch (s=s at entry=0x5580f7872b70) at ../src/libsystemd/sd-event/sd-event.c:2821
        saved_type = SOURCE_IO
        r = <optimized out>
        __PRETTY_FUNCTION__ = "source_dispatch"
        __func__ = "source_dispatch"
#16 0x00007f6dba6c5141 in sd_event_dispatch (e=e at entry=0x5580f7866e50) at ../src/libsystemd/sd-event/sd-event.c:3234
        ref = <optimized out>
        p = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "sd_event_dispatch"
#17 0x00007f6dba6c5308 in sd_event_run (e=0x5580f7866e50, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3291
        r = 1
        __PRETTY_FUNCTION__ = "sd_event_run"
#18 0x00005580f5daa6ed in manager_run (m=0x5580f7865c50) at ../src/login/logind.c:1187
        r = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
#19 run (argv=<optimized out>, argc=<optimized out>) at ../src/login/logind.c:1235
        m = <optimized out>
        r = <optimized out>
        m = <optimized out>
        r = <optimized out>
        __func__ = <optimized out>
        __PRETTY_FUNCTION__ = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
        _level = <optimized out>
        _e = <optimized out>
        _realm = <optimized out>
#20 main (argc=<optimized out>, argv=<optimized out>) at ../src/login/logind.c:1245
        r = <optimized out>
(gdb) 
`---

We can see that the pid in the assert comes from the s->leader as
passed to manager_start_scope() in its pid argument. The s->leader
gets assigned in method_create_session(), via a session_set_leader()
call, after having been previously initialized as a stack variable
and validated.

But the session_set_leader() call can fail in its hashmap_put()
function, but the call site does not check for any error code.


Checking then upstream's master I noticed this has already been fixed
there! Attached the upstream patch fixing this. And I've set this only
as important, but it might deserve being serious perhaps? Up to you.

Thanks,
Guillem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-login-add-a-missing-error-check-for-session_set_lead.patch
Type: text/x-diff
Size: 1017 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190911/3422f054/attachment-0001.patch>


More information about the Pkg-systemd-maintainers mailing list