Bug 1312574
Summary: | rsync crashes with "*** glibc detected *** rsync: free(): invalid pointer: 0x... ***" | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Thomas Bruecker <public> | ||||
Component: | rsync | Assignee: | Michal Ruprich <mruprich> | ||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.7 | CC: | mruprich, thozza | ||||
Target Milestone: | rc | Keywords: | Patch | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-10-31 11:45:18 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |
Created attachment 1131086 [details] path mentioned above. Description of problem: * executing rsync by: " rsync -abAcvHX \ --backup-dir="/root/rpmbuild/BUILD/kernel-dm-devel/!pendent.del" \ -e "ssh -o ServerAliveCountMax=1000 -o ServerAliveInterval=5" \ --numeric-ids --stats \ "root.thomas-r-bruecker.ch:/root/rpmbuild/BUILD/kernel-dm-devel/!this/." \ "/root/rpmbuild/BUILD/kernel-dm-devel/!rsync.test" \ " Version-Release number of selected component (if applicable): * "rsync-3.0.6-12.el6.i686" (actually) centos; but source-rpm corresponds (especially the file "xattrs.c" are identical in both source-rpms) to your sourc-rpm: "rsync-3.0.6-12.el6.src.rpm". How reproducible: * "-b" and "--backup-dir=<some directory>" are (I think) mandatory to reproduce the error. Actual results: * program output: " root.thomas-r-bruecker.ch's password: receiving incremental file list *** glibc detected *** rsync: free(): invalid pointer: 0x09826fe4 *** !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! " * examination with "gdb": Program received signal SIGABRT, Aborted. 0x00209424 in __kernel_vsyscall () [...] * then "bt": " #0 0x00209424 in __kernel_vsyscall () #1 0x00557871 in raise () from /lib/libc.so.6 #2 0x0055914a in abort () from /lib/libc.so.6 #3 0x00597735 in __libc_message () from /lib/libc.so.6 #4 0x0059dc81 in malloc_printerr () from /lib/libc.so.6 #5 0x005a05c2 in _int_free () from /lib/libc.so.6 #6 0x0807dc34 in uncache_tmp_xattrs () at xattrs.c:787 #7 0x0806b33e in keep_backup (fname=0xbf9b50ac ".git/FETCH_HEAD") at backup.c:369 #8 make_backup (fname=0xbf9b50ac ".git/FETCH_HEAD") at backup.c:384 #9 0x08053206 in finish_transfer (fname=0xbf9b50ac ".git/FETCH_HEAD", fnametmp=0xbf9b30ac ".git/.FETCH_HEAD.G7tNo4", fnamecmp=0xbf9b50ac ".git/FETCH_HEAD", partialptr=0x0, file=0xb747bb64, ok_to_set_time=1, overwriting_basis=1) at rsync.c:570 #10 0x0805ba59 in recv_files (f_in=5, local_name=0x0) at receiver.c:736 #11 0x080654d7 in do_recv (f_in=5, f_out=4, local_name=0x0) at main.c:774 #12 0x08065892 in client_run (f_in=5, f_out=4, pid=17661, argc=1, argv=0x9e249ec) at main.c:1067 #13 0x080668ac in start_client (argc=2, argv=0xbf9b8334) at main.c:1274 #14 main (argc=2, argv=0xbf9b8334) at main.c:1501 " Expected results: should work without error. Additional info: * the following patch (also as an attachment) solves the problem: " diff --git a/xattrs.c b/xattrs.c index 3ddd49d..8bc9f8b 100644 --- a/xattrs.c +++ b/xattrs.c @@ -784,7 +784,7 @@ void uncache_tmp_xattrs(void) rsync_xal_l.count = prior_xattr_count; while (xattr_item-- > xattr_start) { rsync_xal_free(xattr_item); - free(xattr_item); + free(xattr_item->items); } prior_xattr_count = (size_t)-1; } " * reason (most probably and quick and dirty): libc: "malloc resp. realloc" sets "xattr_item->items" and not "xattr_item" through rsync_xal_store() --> EXPAND_ITEM_LIST() --> expand_item_list() --> _realloc_array() --> malloc resp. realloc sets "xattr_item->items"