Bug 128999

Summary: rpmq segfault
Product: [Fedora] Fedora Reporter: Ralph Loader <suckfish>
Component: rpmAssignee: Jeff Johnson <jbj>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: nobody+pnasrat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-04 12:40:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ralph Loader 2004-08-02 20:46:40 UTC 
Description of problem:

rpmq is segfaulting.  I believe that the rpm db is probably corrupted.

Version-Release number of selected component (if applicable):

rpm-4.3.1-0.3

How reproducible:

Every time.


Steps to Reproduce:
1.  Run rpm -qa with --root pointing at the corrupt rpm database.
2.  rpmq crashes in realloc on the second call to mpbsethex () from
/usr/lib/libbeecrypt.so.6
  
Additional info:

Unfortunately, the stack is corrupted after the crash.

Here is the stack trace on the second call to mpbsethex:

Breakpoint 2, 0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6
(gdb) bt
#0  0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#1  0x00297446 in pgpPrtPubkeyParams (pubkey_algo=17 '\021',
p=0x952558b "",
    h=0x9525503 "\004?\235\235;\021\004", hlen=156391077) at rpmpgp.c:730
#2  0x00297936 in pgpPrtKey (tag=PGPTAG_PUBLIC_KEY,
    h=0x9525503 "\004?\235\235;\021\004", hlen=418) at rpmpgp.c:886
#3  0x00297d9d in pgpPrtPkt (pkt=0x9525500
"\231\001�\004?\235\235;\021\004",
    pleft=1038) at rpmpgp.c:980
#4  0x0029826c in pgpPrtPkts (
    pkts=0x9525500 "\231\001�\004?\235\235;\021\004", pktlen=1038,
    dig=0x2b1920, printing=156337284) at rpmpgp.c:1128
#5  0x002f1390 in rpmtsFindPubkey (ts=0x9514690) at rpmts.c:411
#6  0x002f6a8d in verifyGPGSignature (ts=0x9514690, t=0xfefaff09 "",
    sha1ctx=0x950c650) at signature.c:1323
#7  0x002f6c96 in rpmVerifySignature (ts=0x9514690,
    result=0xfefafef0 "Header V3 DSA signature: ") at signature.c:1377
#8  0x002d20bb in headerCheck (ts=0x9514690, uh=0x9518484, uc=15724,
    msg=0xfefbff68) at package.c:623
#9  0x0048335f in rpmdbNextIterator (mi=0x9517208) at rpmdb.c:2209
#10 0x002d9bab in rpmcliShowMatches (qva=0x3139c0, ts=0x9514690) at
query.c:370
#11 0x002da052 in rpmQueryVerify (qva=0x3139c0, ts=0x9514690, arg=0x0)
    at query.c:771
#12 0x002dadaa in rpmcliQuery (ts=0x9514690, qva=0x3139c0, argv=0x0)
    at query.c:825
#13 0x080497f8 in main (argc=3, argv=0xfefc1174) at rpmqv.c:794
#14 0x0014dad4 in __libc_start_main (main=0x8049450 <main>, argc=3,
    ubp_av=0xfefc1174, init=0x8049bec <__libc_csu_init>,
    fini=0x2520fc <environ>, rtld_fini=0x3, stack_end=0xfefc116c)
    at ../sysdeps/generic/libc-start.c:209
#15 0x080491e1 in _start ()

Then we hit __libc_realloc with what appears to be a bogus address and
a corrupt stack:

(gdb) b __libc_realloc
Breakpoint 5 at 0x1991a7: file malloc.c, line 3392.
(gdb) c
Continuing.

Breakpoint 5, __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392
3392      __malloc_ptr_t (*hook) __MALLOC_P ((__malloc_ptr_t, size_t,
(gdb) bt
#0  __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392
#1  0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#2  0xbf04ce78 in ?? ()
#3  0x0000002c in ?? ()
#4  0x00000400 in ?? ()
#5  0x00295f1e in pgpPrtNL () at rpmpgp.c:265
Previous frame inner to this frame (corrupt stack?)

Continuing segfaults immediately:

(gdb) c
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
__libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406
3406      oldsize = chunksize(oldp);
(gdb) bt
#0  __libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406
#1  0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#2  0xbf04ce78 in ?? ()
#3  0x0000002c in ?? ()
#4  0x00000400 in ?? ()
#5  0x00295f1e in pgpPrtNL () at rpmpgp.c:265
Previous frame inner to this frame (corrupt stack?)

A .tar.bz2 of the rpmdb is 2.7 Mbytes - if you want a copy, let me
know where to send it.
Comment 1 Jeff Johnson 2004-08-03 01:34:20 UTC 
Please attach a URI here -- rpmdb's are too big
for bugzilla attachments.
Comment 2 Ralph Loader 2004-08-04 06:14:04 UTC 
See

http://homepages.ihug.co.nz/~suckfish/boom/rpmdb.tar.bz2

Still segfaults with rpm-4.3.2-0.6 btw.
Comment 3 Jeff Johnson 2004-08-04 12:40:35 UTC 
Reproduced. Trying to diagnose now ...

Here's a workaround fix:
    cd /var/lib/rpm
    mv Pubkeys Pubkeys-XXX
    rpm --rebuilddb -vv

Verify the fix by doing
    rpm -qavv
    rm /var/lib/rpm/Pubkeys-XXX

Reopen this bug if you need help.