Bug 1551400

Summary:	dnf segfaults with a query of the form "dnf provides '/x y'"
Product:	[Fedora] Fedora	Reporter:	Samuel Sieb <samuel-rhbugs>
Component:	libdnf	Assignee:	rpm-software-management
Status:	CLOSED UPSTREAM	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	aoliva, arjun, codonell, dj, dmach, fweimer, jmracek, law, mcermak, mfabian, mluscon, pfrankli, rpm-software-management, rth, samuel-rhbugs, siddhesh
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-03-06 11:48:12 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Samuel Sieb 2018-03-05 04:30:18 UTC

When running a dnf query of the form "dnf provides '*/x y*'" (you can just use that literally), there is always a segfault in glibc.  It is not always the same, but most times it was in the malloc call.  The tcache->entries table contains an invalid address, a very large address.  For example, the first few entries are:
{0x0, 0x6e69622f7273752f, 0x559ab56a2bc0, 0x559ab5599e80, 0x559ab5700670
The second one is the problem.

Comment 1 Florian Weimer 2018-03-05 07:59:40 UTC

Looks like a use-after-free in libsolv:

==29328== Invalid read of size 1
==29328==    at 0x4C32BC2: __strlen_sse2 (vg_replace_strmem.c:460)
==29328==    by 0x5DAD8CD: strdup (strdup.c:41)
==29328==    by 0x1844BC82: solv_strdup (in /usr/lib64/libsolv.so.0)
==29328==    by 0x18443773: datamatcher_init (in /usr/lib64/libsolv.so.0)
==29328==    by 0x184445CB: dataiterator_init (in /usr/lib64/libsolv.so.0)
==29328==    by 0x17F8B573: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==  Address 0x10fcda50 is 0 bytes inside a block of size 32 free'd
==29328==    at 0x4C30D18: free (vg_replace_malloc.c:530)
==29328==    by 0x11EE046D: g_free (in /usr/lib64/libglib-2.0.so.0.5400.3)
==29328==    by 0x17F8B3E7: parse_reldep_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B556: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A80D: _PyObject_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F64950: _PyObject_Call_Prepend (in /usr/lib64/libpython3.6m.so.1.0)
==29328==  Block was alloc'd at
==29328==    at 0x4C2FB6B: malloc (vg_replace_malloc.c:299)
==29328==    by 0x11EE0358: g_malloc (in /usr/lib64/libglib-2.0.so.0.5400.3)
==29328==    by 0x17F8B1E8: copy_str_from_subexpr (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B2A9: parse_reldep_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B556: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A80D: _PyObject_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)

Comment 2 Igor Gnatenko 2018-03-05 09:12:16 UTC

huh? no, libdnf.

(gdb) n
766	    dataiterator_init(&di, pool, 0, 0, 0, name_glob, SEARCH_STRING | SEARCH_GLOB);
(gdb) p name_glob
$2 = 0x0

asking to search for NULL is really wrong ;)

Comment 3 Igor Gnatenko 2018-03-05 09:15:20 UTC

Actually, libsolv returns correct thing (nothing), but then python-hawkey tried to fill some random stuff to sequence and then tries to free that... That's not going to work. Nothing to do for libsolv.

Comment 4 Jaroslav Mracek 2018-03-06 07:30:17 UTC

Please can you provide exact version od libdnf, libsolv, and dnf?

Thanks a lot

Comment 5 Samuel Sieb 2018-03-06 07:31:37 UTC

libdnf-0.11.1-1.fc27.x86_64
libsolv-0.6.31-1.fc27.x86_64
dnf-2.7.5-2.fc27.noarch

Comment 6 Jaroslav Mracek 2018-03-06 11:48:12 UTC

Thanks for information. I was able to reproduce your problem with your versions, but the problem vanished with upstream versions.

libdnf-0.13.0-0.295g97c23df.fc26.x86_64
libsolv-0.6.31-1.fc26.x86_64
dnf-2.8.6-0.114ge83d408b.fc26.noarch


The upstream is available from copr repo (dnf copr enable rpmsoftwaremanagement/dnf-nightly).