Bug 1312574

Summary: rsync crashes with "*** glibc detected *** rsync: free(): invalid pointer: 0x... ***"
Product: Red Hat Enterprise Linux 6 Reporter: Thomas Bruecker <public>
Component: rsyncAssignee: Michal Ruprich <mruprich>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 6.7CC: mruprich, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-31 11:45:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
path mentioned above. none

Description Thomas Bruecker 2016-02-27 13:39:36 UTC 
Created attachment 1131086 [details]
path mentioned above.

Description of problem:

* executing rsync by:
  "
  rsync -abAcvHX                                                      \
    --backup-dir="/root/rpmbuild/BUILD/kernel-dm-devel/!pendent.del"  \
    -e "ssh  -o ServerAliveCountMax=1000  -o ServerAliveInterval=5"   \
    --numeric-ids  --stats                                            \
    "root.thomas-r-bruecker.ch:/root/rpmbuild/BUILD/kernel-dm-devel/!this/." \
    "/root/rpmbuild/BUILD/kernel-dm-devel/!rsync.test"                                        \
   "

Version-Release number of selected component (if applicable):
* "rsync-3.0.6-12.el6.i686" (actually) centos; but source-rpm corresponds
  (especially the file "xattrs.c" are identical in both source-rpms) to
  your sourc-rpm: "rsync-3.0.6-12.el6.src.rpm".

How reproducible:
* "-b" and "--backup-dir=<some directory>" are (I think) mandatory to reproduce
  the error.

Actual results:
* program output:
  "
   root.thomas-r-bruecker.ch's password: 
   receiving incremental file list                  
   *** glibc detected *** rsync: free(): invalid pointer: 0x09826fe4 ***
       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   "
* examination with "gdb":
  Program received signal SIGABRT, Aborted.
  0x00209424 in __kernel_vsyscall ()
  [...]
  * then "bt":
    "
    #0  0x00209424 in __kernel_vsyscall ()
    #1  0x00557871 in raise () from /lib/libc.so.6
    #2  0x0055914a in abort () from /lib/libc.so.6
    #3  0x00597735 in __libc_message () from /lib/libc.so.6
    #4  0x0059dc81 in malloc_printerr () from /lib/libc.so.6
    #5  0x005a05c2 in _int_free () from /lib/libc.so.6
    #6  0x0807dc34 in uncache_tmp_xattrs () at xattrs.c:787
    #7  0x0806b33e in keep_backup (fname=0xbf9b50ac ".git/FETCH_HEAD")
        at backup.c:369
    #8  make_backup (fname=0xbf9b50ac ".git/FETCH_HEAD") at backup.c:384
    #9  0x08053206 in finish_transfer (fname=0xbf9b50ac ".git/FETCH_HEAD", 
        fnametmp=0xbf9b30ac ".git/.FETCH_HEAD.G7tNo4", 
        fnamecmp=0xbf9b50ac ".git/FETCH_HEAD", partialptr=0x0, file=0xb747bb64, 
        ok_to_set_time=1, overwriting_basis=1) at rsync.c:570
    #10 0x0805ba59 in recv_files (f_in=5, local_name=0x0) at receiver.c:736
    #11 0x080654d7 in do_recv (f_in=5, f_out=4, local_name=0x0) at main.c:774
    #12 0x08065892 in client_run (f_in=5, f_out=4, pid=17661, argc=1, 
        argv=0x9e249ec) at main.c:1067
    #13 0x080668ac in start_client (argc=2, argv=0xbf9b8334) at main.c:1274
    #14 main (argc=2, argv=0xbf9b8334) at main.c:1501
    "
Expected results: should work without error.

Additional info:
* the following patch (also as an attachment) solves the problem:
  "
  diff --git a/xattrs.c b/xattrs.c
  index 3ddd49d..8bc9f8b 100644
  --- a/xattrs.c
  +++ b/xattrs.c
  @@ -784,7 +784,7 @@ void uncache_tmp_xattrs(void)
     		  rsync_xal_l.count = prior_xattr_count;
 		  while (xattr_item-- > xattr_start) {
 			  rsync_xal_free(xattr_item);
  -			  free(xattr_item);
  +			  free(xattr_item->items);
 		  }
 		  prior_xattr_count = (size_t)-1;
 	  }
  "
* reason (most probably and quick and dirty):
  libc: "malloc resp. realloc" sets "xattr_item->items" and not "xattr_item"
  through
    rsync_xal_store()
    --> EXPAND_ITEM_LIST()
      --> expand_item_list()
        --> _realloc_array()
          --> malloc resp. realloc sets "xattr_item->items"
Comment 5 Tomáš Hozza 2017-10-31 11:45:18 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com