Bug 135859
Summary: | glibc reports double-free/memory corruption with mc and Korean UTF-8 (specspo) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Nasrat <nobody+pnasrat> | ||||
Component: | rpm | Assignee: | Jeff Johnson <jbj> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Mike McLean <mikem> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | drepper, eng-i18n-bugs, herrold, llch, nobody+pnasrat, rajeshinvisible | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-10-31 18:42:17 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 130887 | ||||||
Attachments: |
|
Description
Paul Nasrat
2004-10-15 14:54:58 UTC
Backtrace #0 0x0017b782 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x0062e625 in raise () from /lib/tls/libc.so.6 #2 0x0062ffe9 in abort () from /lib/tls/libc.so.6 #3 0x006675eb in malloc_printerr () from /lib/tls/libc.so.6 #4 0x0066808a in free () from /lib/tls/libc.so.6 #5 0x0023cec8 in singleSprintf (hsa=0xfeec6360, token=0x82195d8, element=0) at header.c:141 #6 0x0023cfb4 in singleSprintf (hsa=0xfeec6360, token=0x8215128, element=0) at header.c:3250 #7 0x0023d343 in headerSprintf (h=0x0, fmt=0x81cf898 "Name : %-27{NAME} Relocations: %|PREFIXES?{[%{PREFIXES} ]}:{(not relocatable)}|\\nVersion : %-27{VERSION} Vendor: %{VENDOR}\\nRelease : %-27{RELEASE} Build Date: %{BUILDTIME:date"..., tbltags=0x6, extensions=0x6, errmsg=0xfeec644c) at header.c:3462 #8 0x00d80e96 in showQueryPackage (qva=0xdb1960, ts=0x0, h=0x81fca90) at hdrinline.h:24 #9 0x00d812d1 in rpmcliShowMatches (qva=0xdb1960, ts=0x81cf2d8) at query.c:367 #10 0x00d816de in rpmQueryVerify (qva=0xdb1960, ts=0x81cf2d8, arg=0xfef689e5 "mc") at query.c:771 #11 0x00d82452 in rpmcliQuery (ts=0x81cf2d8, qva=0xdb1960, argv=0x81bac24) at query.c:831 #12 0x080497ac in main (argc=6, argv=0xfeec76c4) at rpmqv.c:789 #13 0x0061bb03 in __libc_start_main () from /lib/tls/libc.so.6 I'm still missing some tidbit to reproduce this. Currently using fc3 glibc-2.3.3-68 ... I installed korean support group prior to testing: glibc-2.3.3-68 glibc-common-2.3.3-68 h2ps-2.06-12 iiimf-gtk-12.0.1-16.svn1994 nabi-0.14-3 system-switch-im-0.1.2-3 iiimf-x-12.0.1-16.svn1994 iiimf-le-hangul-12.0.1-16.svn1994 ttfonts-ko-1.0.11-32.2 man-pages-ko-1.48-14 iiimf-docs-12.0.1-16.svn1994 iiimf-gnome-im-switcher-12.0.1-16.svn1994 nhpf-1.42-8 iiimf-server-12.0.1-16.svn1994 iiimf-csconv-12.0.1-16.svn1994 Removed the non glibc packages above: [pauln@anu ~]$ rpm -q mc mc-4.6.1-0.5 [pauln@anu ~]$ LANG=ko_KR.UTF-8 rpm -qi mc *** glibc detected *** double free or corruption: 0x08493c88 *** Aborted If need be I can provide ssh access to the box *** Bug 137399 has been marked as a duplicate of this bug. *** Move blocker/CC from dupe The specific package changes I guess depending on initial setup (my package is now jpackage-utils LANG=ko_KR.UTF-8 rpm -qia is probably the reliable reproducer. Based on the fact that the rogue package now does not have any translated strings, I'm guessing it's something like the date formatting. Can you reproduce with: LANG=ko_KR.UTF-8 LC_TIME=C rpm -qia (or translated package). Created attachment 105885 [details]
Core
rpm-4.3.2-13
rpm-debuginfo-4.3.2-13
#6 0x009a0fb4 in singleSprintf (hsa=0xfee88960, token=0x8cf06b0, element=0)
at header.c:3250
3250 te = singleSprintf(hsa, spft, element);
(gdb) x 0x8cf0b0
0x8cf0b0 <pgpPrtSig+698>: 0xdc758bd4
(gdb) x 0xfee8960
Looks like signature is causing it in my instance:
LANG=ko_KR.UTF-8 rpm --qf
'%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|\n'
-q jpackage-utils
*** glibc detected *** double free or corruption: 0x0838ed88 ***
Aborted
I wonder if it's the first signed package - which will vary a lot in rawhide.
Thank you. I have not been able to reproduce, and was expecting an entirely different issue, freeing header date retrieved from dcgettext used for look aside retrieve. Thank you. I have not been able to reproduce, and was expecting an entirely different issue, freeing header date retrieved from dcgettext used for look aside retrieve. Fixed in rpm-4.3.2-19. Thanks for the patch. Confirmed fixed in 4.3.2-19 thanks. In /var/log/messages i see: *** glibc detected *** double free or corruption (!prev): 0x094c8f18 *** What could be the cause of this and how can it be resolved. |