Bug 409652 - xembedsniproxy segmentation faults in FdoSelectionManager::init when logging into Plasma on X after running scap-workbench remediation script
Summary: xembedsniproxy segmentation faults in FdoSelectionManager::init when logging ...
Status: RESOLVED FIXED
Alias: None
Product: plasmashell
Classification: Unclassified
Component: XembedSNIProxy (show other bugs)
Version: 5.16.2
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL: https://bugzilla.redhat.com/show_bug....
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-09 14:22 UTC by Matt Fagnani
Modified: 2019-10-10 14:43 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In: 5.17.1


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fagnani 2019-07-09 14:22:02 UTC
SUMMARY

I booted into a Fedora 30 KDE Plasma spin installation that was fully updated with updates-testing enabled. I logged into Plasma 5.15.5 from sddm 0.18.1. I ran scap-workbench with the PCI-DSS v3 Control Baseline for Fedora profile. I generated a remediation bash script in scap-workbench which I ran in konsole with sudo. There were two rules about failed logins which hadn't passed. 

Set Deny For Failed Password Attempts
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900
add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so

Set Lockout Time for Failed Password Attempts
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=6 unlock_time=1800 fail_interval=900
add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800 fail_interval=900
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so

The remediation script changed settings about failed logins as described above. I rebooted. I saw a denial of systemd writing to /var/run/faillock each of two times that I logged into Plasma on X from sddm. 
type=AVC msg=audit(1561266957.146:283): avc:  denied  { write } for  pid=1171 comm="(systemd)" name="faillock" dev="tmpfs" ino=26855 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

The first time the Plasma didn't seem to finish loading properly as it was stuck on the splash screen. After I shutdown the system, I logged into Plasma which started fine but with the same denial. 

I ran the following to allow the denial of systemd writing to faillock from VT2
sudo ausearch -c '(systemd)' --raw | audit2allow -M my-systemd
sudo semodule -X 300 -i my-systemd.pp
sudo systemctl restart sddm
I logged into Plasma on X from sddm which froze again. sudo ausearch -m AVC -ts today showed the following denial
type=AVC msg=audit(1561271692.725:495): avc:  denied  { add_name } for  pid=4243 comm="(systemd)" name="sddm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

I repeated the steps above twice, and each time Plasma on X got stuck on the splash screen. The following two denials were shown.
type=AVC msg=audit(1561271929.865:547): avc:  denied  { create } for  pid=4680 comm="(systemd)" name="sddm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=0
type=AVC msg=audit(1561272064.759:593): avc:  denied  { setattr } for  pid=4973 comm="(systemd)" name="sddm" dev="tmpfs" ino=86576 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=0

The xembedsniproxy segmentation faults happened each time I repeated the steps above in VT2 and then logged into Plasma on X which was stuck on the splash screen. A null pointer dereference happened three times in FdoSelectionManager::init at /usr/src/debug/plasma-workspace-5.15.5-1.fc30.x86_64/xembed-sni-proxy/fdoselectionmanager.cpp:69 which was
   if (reply->present) {

The pointer reply was null as shown in the following gdb full trace of all threads from abrt.

Core was generated by `/usr/bin/xembedsniproxy'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  FdoSelectionManager::init (this=0x7ffc7aff2890) at /usr/src/debug/plasma-workspace-5.15.5-1.fc30.x86_64/xembed-sni-proxy/fdoselectionmanager.cpp:69
[Current thread is 1 (Thread 0x7efc35716140 (LWP 4906))]

Thread 1 (Thread 0x7efc35716140 (LWP 4906)):
#0  FdoSelectionManager::init (this=0x7ffc7aff2890) at /usr/src/debug/plasma-workspace-5.15.5-1.fc30.x86_64/xembed-sni-proxy/fdoselectionmanager.cpp:69
        c = 0x55f5114ffb60
        reply = 0x0
#1  0x00007efc34ee2596 in QtPrivate::QSlotObjectBase::call (a=0x7ffc7aff2460, r=<optimized out>, this=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:394
No locals.
#2  QSingleShotTimer::timerEvent (this=0x55f511532260) at kernel/qtimer.cpp:318
        args = {0x0}
#3  0x00007efc34ed6b95 in QObject::event (this=0x55f511532260, e=<optimized out>) at kernel/qobject.cpp:1282
No locals.
#4  0x00007efc34eaba55 in doNotify (receiver=<optimized out>, event=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobject.h:142
No locals.
#5  0x00007efc34eabae8 in QCoreApplication::notifyInternal2 (receiver=0x55f511532260, event=0x7ffc7aff25b0) at kernel/qcoreapplication.cpp:1084
        selfRequired = true
        result = false
        cbdata = {0x55f511532260, 0x7ffc7aff25b0, 0x7ffc7aff253f}
        d = <optimized out>
        threadData = 0x55f5114ed560
        scopeLevelCounter = {threadData = 0x55f5114ed560}
#6  0x00007efc34effe93 in QTimerInfoList::activateTimers (this=this@entry=0x55f5115aa660) at kernel/qtimerinfo_unix.cpp:643
        e = {<QEvent> = {_vptr.QEvent = 0x7efc3515cc90 <vtable for QTimerEvent+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc350465e0 <qt_meta_stringdata_QEvent>, data = 0x7efc35046020 <qt_meta_data_QEvent>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}, d = 0x0, t = 1, posted = 0, spont = 0, m_accept = 1, reserved = 555}, id = 1}
        currentTimerInfo = 0x0
        n_act = 0
        maxCount = 0
        currentTime = {tv_sec = 5157, tv_nsec = 28664691}
#7  0x00007efc34f0074c in timerSourceDispatch (source=source@entry=0x55f5115aa600) at kernel/qeventdispatcher_glib.cpp:182
        timerSource = 0x55f5115aa600
#8  0x00007efc3358eedd in g_main_dispatch (context=0x7efc1c004fd0) at ../glib/gmain.c:3189
        dispatch = <optimized out>
        prev_source = 0x0
        was_in_call = <optimized out>
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x55f5115aa600
        current = 0x55f5115add50
        i = 1
        __FUNCTION__ = "g_main_dispatch"
#9  g_main_context_dispatch (context=context@entry=0x7efc1c004fd0) at ../glib/gmain.c:3854
No locals.
#10 0x00007efc3358f270 in g_main_context_iterate (context=context@entry=0x7efc1c004fd0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x55f5115ae270
#11 0x00007efc3358f313 in g_main_context_iteration (context=0x7efc1c004fd0, may_block=may_block@entry=1) at ../glib/gmain.c:3988
        retval = <optimized out>
#12 0x00007efc34f00bd5 in QEventDispatcherGlib::processEvents (this=0x55f5114f1790, flags=...) at kernel/qeventdispatcher_glib.cpp:422
        d = 0x55f5115af940
        canWait = true
        savedFlags = {i = 0}
        result = <optimized out>
#13 0x00007efc34eaa9eb in QEventLoop::exec (this=this@entry=0x7ffc7aff2800, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:140
        d = 0x55f5115afc20
        locker = {val = 94511045727856}
        ref = {d = 0x55f5115afc20, locker = @0x7ffc7aff2788, exceptionCaught = true}
        app = <optimized out>
#14 0x00007efc34eb2726 in QCoreApplication::exec () at ../../include/QtCore/../../src/corelib/global/qflags.h:120
        threadData = 0x55f5114ed560
        eventLoop = {<QObject> = {_vptr.QObject = 0x7efc3515ca28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504b300 <qt_meta_stringdata_QObject>, data = 0x7efc3504b1e0 <qt_meta_data_QObject>, static_metacall = 0x7efc34eddfe0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55f5115afc20}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504e220 <qt_meta_stringdata_Qt>, data = 0x7efc3504b420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7efc35154fe0 <QObject::staticMetaObject>, stringdata = 0x7efc350456a0 <qt_meta_stringdata_QEventLoop>, data = 0x7efc35045640 <qt_meta_data_QEventLoop>, static_metacall = 0x7efc34eaa700 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = <optimized out>
#15 0x00007efc35276240 in QGuiApplication::exec () at kernel/qguiapplication.cpp:1784
No locals.
#16 0x000055f510722ba1 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace-5.15.5-1.fc30.x86_64/xembed-sni-proxy/main.cpp:68
        app = {<QCoreApplication> = {<QObject> = {_vptr.QObject = 0x7efc35689d70 <vtable for QGuiApplication+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504b300 <qt_meta_stringdata_QObject>, data = 0x7efc3504b1e0 <qt_meta_data_QObject>, static_metacall = 0x7efc34eddfe0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55f5114ed430}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504e220 <qt_meta_stringdata_Qt>, data = 0x7efc3504b420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7efc35154fe0 <QObject::staticMetaObject>, stringdata = 0x7efc35045d40 <qt_meta_stringdata_QCoreApplication>, data = 0x7efc35045c20 <qt_meta_data_QCoreApplication>, static_metacall = 0x7efc34ead580 <QCoreApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, static self = 0x7ffc7aff2880}, static staticMetaObject = {d = {superdata = 0x7efc3515cbc0 <QCoreApplication::staticMetaObject>, stringdata = 0x7efc355b0e80 <qt_meta_stringdata_QGuiApplication>, data = 0x7efc355b0c00 <qt_meta_data_QGuiApplication>, static_metacall = 0x7efc35276d00 <QGuiApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        disableSessionManagement = <optimized out>
        manager = {<QObject> = {_vptr.QObject = 0x55f510731328 <vtable for FdoSelectionManager+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504b300 <qt_meta_stringdata_QObject>, data = 0x7efc3504b1e0 <qt_meta_data_QObject>, static_metacall = 0x7efc34eddfe0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55f5115ac120}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504e220 <qt_meta_stringdata_Qt>, data = 0x7efc3504b420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, <QAbstractNativeEventFilter> = {_vptr.QAbstractNativeEventFilter = 0x55f5107313a0 <vtable for FdoSelectionManager+136>, d = 0x1}, static staticMetaObject = {d = {superdata = 0x7efc35154fe0 <QObject::staticMetaObject>, stringdata = 0x55f51072c620 <qt_meta_stringdata_FdoSelectionManager>, data = 0x55f51072c580 <qt_meta_data_FdoSelectionManager>, static_metacall = 0x55f510723270 <FdoSelectionManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, m_damageEventBase = 0 '\000', m_damageWatches = {{d = 0x7efc34f80a00 <QHashData::shared_null>, e = 0x7efc34f80a00 <QHashData::shared_null>}}, m_proxies = {{d = 0x7efc34f80a00 <QHashData::shared_null>, e = 0x7efc34f80a00 <QHashData::shared_null>}}, m_selectionOwner = 0x55f5115acdd0}
        rc = <optimized out>

Thread 2 (Thread 0x7efc243f6700 (LWP 5217)):
#0  0x00007efc348310d4 in ?? () from /lib64/libdbus-1.so.3
No symbol table info available.
#1  0x00007efc34820ff0 in ?? () from /lib64/libdbus-1.so.3
No symbol table info available.
#2  0x00007efc1c00a3e8 in ?? ()
No symbol table info available.
#3  0x00007efc1c00a180 in ?? ()
No symbol table info available.
#4  0x0000000000000005 in ?? ()
No symbol table info available.
#5  0x00007efc357a0abc in q_dbus_message_unref (message=<optimized out>) at qdbus_symbols_p.h:411
No locals.
#6  QDBusMessagePrivate::~QDBusMessagePrivate (this=0x7efc1c009050, __in_chrg=<optimized out>) at qdbusmessage.cpp:81
No locals.
#7  0x00007efc357a0cd1 in QDBusMessage::~QDBusMessage (this=<optimized out>, __in_chrg=<optimized out>) at qdbusmessage.cpp:575
No locals.
#8  QDBusMessage::~QDBusMessage (this=<optimized out>, __in_chrg=<optimized out>) at qdbusmessage.cpp:572
No locals.
#9  0x00007efc3579f1cc in QVector<QDBusMessage>::destruct (this=<optimized out>, to=<optimized out>, from=0x7efc1c00a3f0) at ../../include/QtCore/../../src/corelib/tools/qvector.h:347
No locals.
#10 QVector<QDBusMessage>::reallocData (this=this@entry=0x7efc1c001448, asize=asize@entry=0, aalloc=5, options=..., options@entry=...) at ../../include/QtCore/../../src/corelib/tools/qvector.h:625
        x = 0x7efc1c00a3d0
        isShared = <optimized out>
#11 0x00007efc35799f23 in QVector<QDBusMessage>::resize (asize=0, this=0x7efc1c001448) at ../../include/QtCore/../../src/corelib/tools/qvector.h:425
        newAlloc = <optimized out>
        oldAlloc = <optimized out>
        opt = <optimized out>
#12 QVector<QDBusMessage>::clear (this=0x7efc1c001448) at ../../include/QtCore/../../src/corelib/tools/qvector.h:426
No locals.
#13 QDBusConnectionPrivate::doDispatch (this=0x7efc1c0013f0) at qdbusintegrator.cpp:1193
        it = 0x7efc1c00a3f0
        end = 0x7efc1c00a3f0
#14 QDBusConnectionPrivate::doDispatch (this=0x7efc1c0013f0) at qdbusintegrator.cpp:1181
        it = <optimized out>
        end = <optimized out>
#15 0x00007efc34ed6bfa in QObject::event (this=0x7efc1c0013f0, e=<optimized out>) at kernel/qobject.cpp:1260
        mce = <optimized out>
        sw = {receiver = 0x7efc1c0013f0, previousSender = 0x0, currentSender = {sender = 0x7efc1c0013f0, signal = 3, ref = 1}, switched = true}
#16 0x00007efc34eaba55 in doNotify (receiver=<optimized out>, event=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobject.h:142
No locals.
#17 0x00007efc34eabb61 in QCoreApplication::notifyInternal2 (receiver=0x7efc1c0013f0, event=0x55f5115ae620) at kernel/qcoreapplication.cpp:1083
        selfRequired = false
        result = false
        cbdata = {0x7efc1c0013f0, 0x55f5115ae620, 0x7efc243f5a8f}
        d = <optimized out>
        threadData = 0x55f5115ad7b0
        scopeLevelCounter = {threadData = 0x55f5115ad7b0}
#18 0x00007efc34eaea93 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x55f5115ad7b0) at kernel/qcoreapplication.cpp:1821
        e = 0x55f5115ae620
        pe = <optimized out>
        r = <optimized out>
        unlocker = {m = <synthetic pointer><error reading variable>}
        event_deleter = {d = 0x55f5115ae620}
        locker = {val = 94511046514656}
        startOffset = 0
        i = @0x55f5115ad7d4: 1
        cleanup = <optimized out>
#19 0x00007efc34f00e47 in postEventSourceDispatch (s=s@entry=0x7efc1c005110) at kernel/qeventdispatcher_glib.cpp:276
        source = 0x7efc1c005110
#20 0x00007efc3358eedd in g_main_dispatch (context=0x7efc1c001620) at ../glib/gmain.c:3189
        dispatch = <optimized out>
        prev_source = 0x0
        was_in_call = <optimized out>
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x7efc1c005110
        current = 0x7efc1c0013d0
        i = 0
        __FUNCTION__ = "g_main_dispatch"
#21 g_main_context_dispatch (context=context@entry=0x7efc1c001620) at ../glib/gmain.c:3854
No locals.
#22 0x00007efc3358f270 in g_main_context_iterate (context=context@entry=0x7efc1c001620, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x7efc1c000b20
#23 0x00007efc3358f313 in g_main_context_iteration (context=0x7efc1c001620, may_block=may_block@entry=1) at ../glib/gmain.c:3988
        retval = <optimized out>
#24 0x00007efc34f00bd5 in QEventDispatcherGlib::processEvents (this=0x7efc1c005350, flags=...) at kernel/qeventdispatcher_glib.cpp:422
        d = 0x7efc1c005230
        canWait = true
        savedFlags = {i = 0}
        result = <optimized out>
#25 0x00007efc34eaa9eb in QEventLoop::exec (this=this@entry=0x7efc243f5d70, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:140
        d = 0x7efc1c001a00
        locker = {val = 94511045939536}
        ref = {d = 0x7efc1c001a00, locker = @0x7efc243f5cf8, exceptionCaught = true}
        app = <optimized out>
#26 0x00007efc34d03635 in QThread::exec (this=this@entry=0x7efc3580a060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at ../../include/QtCore/../../src/corelib/global/qflags.h:120
        d = 0x55f5115210e0
        locker = {val = 94511045939536}
        eventLoop = {<QObject> = {_vptr.QObject = 0x7efc3515ca28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504b300 <qt_meta_stringdata_QObject>, data = 0x7efc3504b1e0 <qt_meta_data_QObject>, static_metacall = 0x7efc34eddfe0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x7efc1c001a00}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7efc3504e220 <qt_meta_stringdata_Qt>, data = 0x7efc3504b420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7efc35154fe0 <QObject::staticMetaObject>, stringdata = 0x7efc350456a0 <qt_meta_stringdata_QEventLoop>, data = 0x7efc35045640 <qt_meta_data_QEventLoop>, static_metacall = 0x7efc34eaa700 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = <optimized out>
#27 0x00007efc35786f4a in QDBusConnectionManager::run (this=0x7efc3580a060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:178
        locker = <optimized out>
#28 0x00007efc34d04786 in QThreadPrivate::start (arg=0x7efc3580a060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:361
        thr = 0x7efc3580a060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>
        data = <optimized out>
        __clframe = {__cancel_routine = 0x7efc34d03ec0 <QThreadPrivate::finish(void*)>, __cancel_arg = 0x7efc3580a060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>, __do_it = 1, __cancel_type = <optimized out>}
#29 0x00007efc3485f5a2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139621404993280, -2556210932581858783, 140722372027838, 140722372027839, 140722372028032, 139621404991232, 2413590535890338337, 2413624529180885537}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#30 0x00007efc3497a303 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

STEPS TO REPRODUCE
1. boot into a Fedora 30 KDE Plasma spin installation fully updated with updates-testing enabled
2. log into Plasma 5.15.5 from sddm 0.18.1
3. if scap-workbench isn't installed, sudo dnf install scap-workbench
4. run scap-workbench 
5. scan with the PCI-DSS v3 Control Baseline for Fedora profile
6. generate a remediation bash script in scap-workbench called pci-dss-remediation-1.sh
7. sudo ./pci-dss-remediation-1.sh (in konsole)
8. reboot 
9. log into Plasma on X from sddm
10. switch to VT2 with ctrl+alt+f2
11. sudo ausearch -c '(systemd)' --raw | audit2allow -M my-systemd
12. sudo semodule -X 300 -i my-systemd.pp
13. sudo systemctl restart sddm
14. sudo ausearch -m AVC -ts today
15. repeat 9-14 twice
16. coredumpctl
17. coredumpctl debug
18. gnome-abrt


OBSERVED RESULT
xembedsniproxy segmentation faults in FdoSelectionManager::init when logging into Plasma on X after running scap-workbench remediation script

EXPECTED RESULT
No xembedsniproxy segmentation faults

SOFTWARE/OS VERSIONS 
Linux/KDE Plasma: Fedora 30
(available in About System)
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.59.0
Qt Version: 5.12.1

ADDITIONAL INFORMATION

I didn't see more denials after that. The my-systemd.te module had the following rules.
allow init_t faillog_t:dir { add_name write };
allow init_t faillog_t:file { create setattr };

I reported the systemd denials at https://bugzilla.redhat.com/show_bug.cgi?id=1723132 and these crashes at https://bugzilla.redhat.com/show_bug.cgi?id=1728265
Comment 1 Matt Fagnani 2019-07-25 23:16:46 UTC
Qt Version: 5.12.4
Frameworks Version: 5.59.0
Operating System: Linux 5.3.0-0.rc1.git1.1.fc31.x86_64 x86_64
Distribution (Platform): Fedora RPMs

-- Information about the crash:
- What I was doing when the application crashed:

I booted into the Fedora Rawhide/31 KDE Plasma spin image Fedora-KDE-Live-x86_64-Rawhide-20190724.n.0.iso at
https://koji.fedoraproject.org/koji/buildinfo?buildID=1319740

I ran sudo dnf install x*amd* kwin*way* pla*way*
kwayland-integration-5.16.2-1.fc31.x86_64     
kwin-wayland-5.16.2-1.fc31.x86_64             
plasma-workspace-wayland-5.16.2-2.fc31.x86_64 
xorg-x11-drv-amdgpu-19.0.1-1.fc31.x86_64      
xorg-x11-server-Xwayland-1.20.5-5.fc31.x86_64 

I logged out of Plasma. I switched to VT2 then I ran sudo systemctl restart sddm. Plasma on X logged in automatically but Plasma froze on the splash screen. I ran sudo systemctl stop sddm in VT2. xembedsniproxy from plasma-workspace-5.16.2 had a segmentation fault in FdoSelectionManager::init at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/xembed-sni-proxy/fdoselectionmanager.cpp:69
69          if (reply->present) {

The crash had a similar trace using coredumpctl gdb as I reported before. The pointer reply was null so reply->present looks like a null pointer dereference. I'm unsure if the xembedsniproxy crash happened right before or after I ran startplasmacompositor & from VT2 based on the journal. Plasma on Wayland started, but drkonqi showed a segmentation fault in plasmashell which I reported in bug 410211. I installed the plasma-workspaces and qt5-qtbase debugging rpms. 

(gdb) thread apply all bt full

Thread 2 (Thread 0x7f1a4c646700 (LWP 3717)):
#0  0x00007f1a5cbed79f in poll () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f1a5b8202ee in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0
No symbol table info available.
#2  0x00007f1a5b820423 in g_main_context_iteration () from /lib64/libglib-2.0.so.0
No symbol table info available.
#3  0x00007f1a5d180bb5 in QEventDispatcherGlib::processEvents (this=0x7f1a440018e0, flags=...) at kernel/qeventdispatcher_glib.cpp:422
        d = 0x7f1a44005250
        canWait = true
        savedFlags = {i = 0}
        result = <optimized out>
#4  0x00007f1a5d12a9db in QEventLoop::exec (this=this@entry=0x7f1a4c645d70, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:140
        d = 0x7f1a440065f0
        locker = {val = 94273122388240}
        ref = <optimized out>
        app = <optimized out>
#5  0x00007f1a5cf83625 in QThread::exec (this=this@entry=0x7f1a5da82060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at ../../include/QtCore/../../src/corelib/global/qflags.h:120
        d = 0x55bdabf8c8a0
        locker = {val = 94273122388240}
--Type <RET> for more, q to quit, c to continue without paging--c
        eventLoop = {<QObject> = {_vptr.QObject = 0x7f1a5d3dba28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2cb300 <qt_meta_stringdata_QObject>, data = 0x7f1a5d2cb1e0 <qt_meta_data_QObject>, static_metacall = 0x7f1a5d15dfc0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x7f1a440065f0}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2ce220 <qt_meta_stringdata_Qt>, data = 0x7f1a5d2cb420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7f1a5d3d3fe0 <QObject::staticMetaObject>, stringdata = 0x7f1a5d2c56a0 <qt_meta_stringdata_QEventLoop>, data = 0x7f1a5d2c5640 <qt_meta_data_QEventLoop>, static_metacall = 0x7f1a5d12a6f0 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = <optimized out>
#6  0x00007f1a5d9fef4a in QDBusConnectionManager::run (this=0x7f1a5da82060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:178
        locker = <optimized out>
#7  0x00007f1a5cf84776 in QThreadPrivate::start (arg=0x7f1a5da82060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:361
        thr = 0x7f1a5da82060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>
        data = <optimized out>
        __clframe = {__cancel_routine = 0x7f1a5cf83eb0 <QThreadPrivate::finish(void*)>, __cancel_arg = 0x7f1a5da82060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>, __do_it = 1, __cancel_type = <optimized out>}
#8  0x00007f1a5cad84e2 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#9  0x00007f1a5cbf8333 in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 1 (Thread 0x7f1a5d98bc80 (LWP 3468)):
#0  FdoSelectionManager::init (this=0x7ffda0c272b0) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/xembed-sni-proxy/fdoselectionmanager.cpp:69
        c = 0x55bdabee0c00
        reply = 0x0
#1  0x00007f1a5d162576 in QtPrivate::QSlotObjectBase::call (a=0x7ffda0c26e90, r=<optimized out>, this=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:394
No locals.
#2  QSingleShotTimer::timerEvent (this=0x55bdabf51350) at kernel/qtimer.cpp:318
        args = {0x0}
#3  0x00007f1a5d156b75 in QObject::event (this=0x55bdabf51350, e=<optimized out>) at kernel/qobject.cpp:1282
No locals.
#4  0x00007f1a5d12ba45 in doNotify (receiver=<optimized out>, event=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qobject.h:142
No locals.
#5  0x00007f1a5d12bad8 in QCoreApplication::notifyInternal2 (receiver=0x55bdabf51350, event=0x7ffda0c26fe0) at kernel/qcoreapplication.cpp:1084
        selfRequired = true
        result = false
        cbdata = {0x55bdabf51350, 0x7ffda0c26fe0, 0x7ffda0c26f6f}
        d = <optimized out>
        threadData = 0x55bdabece5a0
        scopeLevelCounter = {threadData = 0x55bdabece5a0}
#6  0x00007f1a5d17fe73 in QTimerInfoList::activateTimers (this=0x55bdabf8a6d0) at kernel/qtimerinfo_unix.cpp:643
        e = {<QEvent> = {_vptr.QEvent = 0x7f1a5d3dbc90 <vtable for QTimerEvent+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2c65e0 <qt_meta_stringdata_QEvent>, data = 0x7f1a5d2c6020 <qt_meta_data_QEvent>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}, d = 0x0, t = 1, posted = 0, spont = 0, m_accept = 1, reserved = 5503}, id = 1}
        currentTimerInfo = 0x0
        n_act = 0
        maxCount = 0
        currentTime = {tv_sec = 758, tv_nsec = 21159576}
#7  0x00007f1a5d18072c in timerSourceDispatch (source=<optimized out>) at kernel/qeventdispatcher_glib.cpp:182
        timerSource = <optimized out>
#8  0x00007f1a5b81ffed in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#9  0x00007f1a5b820380 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0
No symbol table info available.
#10 0x00007f1a5b820423 in g_main_context_iteration () from /lib64/libglib-2.0.so.0
No symbol table info available.
#11 0x00007f1a5d180bb5 in QEventDispatcherGlib::processEvents (this=0x55bdabed2610, flags=...) at kernel/qeventdispatcher_glib.cpp:422
        d = 0x55bdabf8feb0
        canWait = true
        savedFlags = {i = 0}
        result = <optimized out>
#12 0x00007f1a5d12a9db in QEventLoop::exec (this=this@entry=0x7ffda0c27220, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:140
        d = 0x55bdabf8fac0
        locker = {val = 94273121609392}
        ref = <optimized out>
        app = <optimized out>
#13 0x00007f1a5d132706 in QCoreApplication::exec () at ../../include/QtCore/../../src/corelib/global/qflags.h:120
        threadData = 0x55bdabece5a0
        eventLoop = {<QObject> = {_vptr.QObject = 0x7f1a5d3dba28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2cb300 <qt_meta_stringdata_QObject>, data = 0x7f1a5d2cb1e0 <qt_meta_data_QObject>, static_metacall = 0x7f1a5d15dfc0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55bdabf8fac0}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2ce220 <qt_meta_stringdata_Qt>, data = 0x7f1a5d2cb420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, static staticMetaObject = {d = {superdata = 0x7f1a5d3d3fe0 <QObject::staticMetaObject>, stringdata = 0x7f1a5d2c56a0 <qt_meta_stringdata_QEventLoop>, data = 0x7f1a5d2c5640 <qt_meta_data_QEventLoop>, static_metacall = 0x7f1a5d12a6f0 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
        returnCode = <optimized out>
#14 0x000055bdaba71ba1 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/plasma-workspace-5.16.2-2.fc31.x86_64/xembed-sni-proxy/main.cpp:68
        app = <incomplete type>
        disableSessionManagement = <optimized out>
        manager = {<QObject> = {_vptr.QObject = 0x55bdaba80328 <vtable for FdoSelectionManager+16>, static staticMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2cb300 <qt_meta_stringdata_QObject>, data = 0x7f1a5d2cb1e0 <qt_meta_data_QObject>, static_metacall = 0x7f1a5d15dfc0 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x55bdabf8dc20}, static staticQtMetaObject = {d = {superdata = 0x0, stringdata = 0x7f1a5d2ce220 <qt_meta_stringdata_Qt>, data = 0x7f1a5d2cb420 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}}, <QAbstractNativeEventFilter> = {_vptr.QAbstractNativeEventFilter = 0x55bdaba803a0 <vtable for FdoSelectionManager+136>, d = 0x7f1a5cb830c4 <malloc+116>}, static staticMetaObject = {d = {superdata = 0x7f1a5d3d3fe0 <QObject::staticMetaObject>, stringdata = 0x55bdaba7b620 <qt_meta_stringdata_FdoSelectionManager>, data = 0x55bdaba7b580 <qt_meta_data_FdoSelectionManager>, static_metacall = 0x55bdaba72270 <FdoSelectionManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, m_damageEventBase = 1 '\001', m_damageWatches = {{d = 0x7f1a5d200a00 <QHashData::shared_null>, e = 0x7f1a5d200a00 <QHashData::shared_null>}}, m_proxies = {{d = 0x7f1a5d200a00 <QHashData::shared_null>, e = 0x7f1a5d200a00 <QHashData::shared_null>}}, m_selectionOwner = 0x55bdabf8d6c0}
        rc = <optimized out>
Comment 2 Konrad Materka 2019-10-09 12:04:31 UTC
Patch:
https://phabricator.kde.org/D24514
Comment 3 Nate Graham 2019-10-10 14:43:15 UTC
Git commit 741441765601c00cb84ecb7fa7b38e69d185f51a by Nate Graham, on behalf of Konrad Materka.
Committed on 10/10/2019 at 14:42.
Pushed by ngraham into branch 'Plasma/5.17'.

[XembedSNIProxy] Do not crash on null pointer

Summary:
XCB may return null pointer as a response. Add a check to prevent
segmentation fault.
FIXED-IN: 5.17.1

Test Plan: It is hard to reproduce, but the reason of the segmentation fault is pretty obvious, thanks to the debug dump from bug 409652

Reviewers: #plasma_workspaces, #plasma, davidedmundson

Reviewed By: #plasma_workspaces, #plasma, davidedmundson

Subscribers: ngraham, plasma-devel

Tags: #plasma

Differential Revision: https://phabricator.kde.org/D24514

M  +11   -11   xembed-sni-proxy/fdoselectionmanager.cpp
M  +2    -3    xembed-sni-proxy/fdoselectionmanager.h

https://commits.kde.org/plasma-workspace/741441765601c00cb84ecb7fa7b38e69d185f51a