0006006: SIGSEGV when ssh'ing from non-root user on system without selinux-policy installed

On a system that has selinux disabled and selinux-policy/selinux-policy-targeted not installed, if I ssh from a non-root user then ssh will SIGSEGV. An examination of the core generated shows:<br /> <br /> Program terminated with signal 11, Segmentation fault.<br /> #0 __strdup (s=0x3ff00000000 <Address 0x3ff00000000 out of bounds>) at<br /> strdup.c:42<br /> 42 size_t len = strlen (s) + 1;<br /> (gdb) up<br /> <a href="http://bugs.centos.org/view.php?id=1">0000001</a> 0x000003fffd285330 in selinux_trans_to_raw_context (<br /> trans=0x3ff00000000 <Address 0x3ff00000000 out of bounds>,<br /> rawp=0x3ffffe33ee8) at setrans_client.c:290<br /> 290 *rawp = strdup(trans);<br /> (gdb) p trans<br /> $1 = 0x3ff00000000 <Address 0x3ff00000000 out of bounds><br /> (gdb) p rcontext<br /> $3 = (security_context_t) 0x3ff00000000 <Address 0x3ff00000000 out of<br /> bounds><br /> (gdb) up<br /> #3 0x000002aab834c156 in main (ac=<value optimized out>, av=<value<br /> optimized out>) at ssh.c:800<br /> 800 setfscreatecon(scon);<br /> (gdb) p scon<br /> $4 = 0x3ff00000000 <Address 0x3ff00000000 out of bounds><br /> <br /> A look at the genesis of the call:<br /> <br /> <br /> 791 * Now that we are back to our own permissions, create ~/.ssh<br /> 792 * directory if it doesn't already exist.<br /> 793 */<br /> 794 r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,<br /> 795 strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);<br /> 796 if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {<br /> 797 char *scon;<br /> 798 <br /> 799 matchpathcon(buf, 0700, &scon);<br /> 800 setfscreatecon(scon);<br /> <br /> scon is not initialized. When selinux is disabled and there's no policy stuff installed the value of scon is not set. If you are lucky the value of scon will be NULL and things will proceed okay. However, if the value is not null then it will be used as a pointer to a valid string and the crash will ensue as shown.<br /> <br /> I applied a patch to initialize this variable to NULL, rebuilt the package, and the problem disappeared.