Bug 135859

Summary: glibc reports double-free/memory corruption with mc and Korean UTF-8 (specspo)
Product: [Fedora] Fedora Reporter: Paul Nasrat <nobody+pnasrat>
Component: rpmAssignee: Jeff Johnson <jbj>
Status: CLOSED RAWHIDE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, eng-i18n-bugs, herrold, llch, nobody+pnasrat, rajeshinvisible
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-31 18:42:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 130887    
Attachments:
Description Flags
Core none

Description Paul Nasrat 2004-10-15 14:54:58 UTC 
User-Agent:       
Build Identifier: 

Newer glibc have checks - aborting programs with double free.  A case of this
with rpm was mentioned on #fedora-devel.

Reproducible: Always
Steps to Reproduce:
1. LANG=ko_KR.UTF8 rpm --dbpath /usr/lib/rpmdb/i386-redhat-linux/redhat/ -qi mc


Actual Results:  
*** glibc detected *** double free or corruption: 0x0992cd68 ***
Aborted


Expected Results:  
Lovely information about mc
Comment 1 Paul Nasrat 2004-10-15 15:06:02 UTC 
Backtrace

#0  0x0017b782 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x0062e625 in raise () from /lib/tls/libc.so.6
#2  0x0062ffe9 in abort () from /lib/tls/libc.so.6
#3  0x006675eb in malloc_printerr () from /lib/tls/libc.so.6
#4  0x0066808a in free () from /lib/tls/libc.so.6
#5  0x0023cec8 in singleSprintf (hsa=0xfeec6360, token=0x82195d8, element=0)
    at header.c:141
#6  0x0023cfb4 in singleSprintf (hsa=0xfeec6360, token=0x8215128, element=0)
    at header.c:3250
#7  0x0023d343 in headerSprintf (h=0x0,
    fmt=0x81cf898 "Name        : %-27{NAME}  Relocations:
%|PREFIXES?{[%{PREFIXES} ]}:{(not relocatable)}|\\nVersion     : %-27{VERSION} 
     Vendor: %{VENDOR}\\nRelease     : %-27{RELEASE}   Build Date:
%{BUILDTIME:date"...,
    tbltags=0x6, extensions=0x6, errmsg=0xfeec644c) at header.c:3462
#8  0x00d80e96 in showQueryPackage (qva=0xdb1960, ts=0x0, h=0x81fca90)
    at hdrinline.h:24
#9  0x00d812d1 in rpmcliShowMatches (qva=0xdb1960, ts=0x81cf2d8) at query.c:367
#10 0x00d816de in rpmQueryVerify (qva=0xdb1960, ts=0x81cf2d8,
    arg=0xfef689e5 "mc") at query.c:771
#11 0x00d82452 in rpmcliQuery (ts=0x81cf2d8, qva=0xdb1960, argv=0x81bac24)
    at query.c:831
#12 0x080497ac in main (argc=6, argv=0xfeec76c4) at rpmqv.c:789
#13 0x0061bb03 in __libc_start_main () from /lib/tls/libc.so.6
Comment 2 Jeff Johnson 2004-10-15 22:20:06 UTC 
I'm still missing some tidbit to reproduce this.

Currently using fc3 glibc-2.3.3-68 ...
Comment 3 Paul Nasrat 2004-10-18 08:50:49 UTC 
I installed korean support group prior to testing:

glibc-2.3.3-68
glibc-common-2.3.3-68
h2ps-2.06-12
iiimf-gtk-12.0.1-16.svn1994
nabi-0.14-3
system-switch-im-0.1.2-3
iiimf-x-12.0.1-16.svn1994
iiimf-le-hangul-12.0.1-16.svn1994
ttfonts-ko-1.0.11-32.2
man-pages-ko-1.48-14
iiimf-docs-12.0.1-16.svn1994
iiimf-gnome-im-switcher-12.0.1-16.svn1994
nhpf-1.42-8
iiimf-server-12.0.1-16.svn1994
iiimf-csconv-12.0.1-16.svn1994
Comment 4 Paul Nasrat 2004-10-18 09:38:10 UTC 
Removed the non glibc packages above:

[pauln@anu ~]$ rpm -q mc
mc-4.6.1-0.5
[pauln@anu ~]$ LANG=ko_KR.UTF-8 rpm -qi mc
*** glibc detected *** double free or corruption: 0x08493c88 ***
Aborted

If need be I can provide ssh access to the box
Comment 5 Paul Nasrat 2004-10-28 07:44:15 UTC 
*** Bug 137399 has been marked as a duplicate of this bug. ***
Comment 6 Paul Nasrat 2004-10-28 07:47:38 UTC 
Move blocker/CC from dupe
Comment 7 Paul Nasrat 2004-10-28 07:54:42 UTC 
The specific package changes I guess depending on initial setup  (my
package is now jpackage-utils

LANG=ko_KR.UTF-8 rpm -qia 

is probably the reliable reproducer.  Based on the fact that the rogue
package now does not have any translated strings, I'm guessing it's
something like the date formatting. Can you reproduce with:

LANG=ko_KR.UTF-8 LC_TIME=C rpm -qia (or translated package).
Comment 8 Paul Nasrat 2004-10-28 08:32:35 UTC 
Created attachment 105885 [details]
Core

rpm-4.3.2-13
rpm-debuginfo-4.3.2-13

#6  0x009a0fb4 in singleSprintf (hsa=0xfee88960, token=0x8cf06b0, element=0)
    at header.c:3250
3250		    te = singleSprintf(hsa, spft, element);
(gdb) x 0x8cf0b0
0x8cf0b0 <pgpPrtSig+698>:	0xdc758bd4
(gdb) x 0xfee8960

Looks like signature is causing it in my instance:

LANG=ko_KR.UTF-8 rpm --qf
'%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|\n'
-q jpackage-utils
*** glibc detected *** double free or corruption: 0x0838ed88 ***
Aborted

I wonder if it's the first signed package - which will vary a lot in rawhide.
Comment 11 Jeff Johnson 2004-10-31 18:02:51 UTC 
Thank you. I have not been able to reproduce, and was
expecting an entirely different issue, freeing header
date retrieved from dcgettext used for look aside retrieve.
Comment 13 Jeff Johnson 2004-10-31 18:24:21 UTC 
Thank you. I have not been able to reproduce, and was
expecting an entirely different issue, freeing header
date retrieved from dcgettext used for look aside retrieve.
Comment 14 Jeff Johnson 2004-10-31 18:42:17 UTC 
Fixed in rpm-4.3.2-19. Thanks for the patch.
Comment 15 Paul Nasrat 2004-11-01 08:20:54 UTC 
Confirmed fixed in 4.3.2-19 thanks.
Comment 16 Rajesh 2006-03-27 12:57:47 UTC 
In /var/log/messages i see:
*** glibc detected *** double free or corruption (!prev): 0x094c8f18 ***
What could be the cause of this and how can it be resolved.