Bug 1732276

Summary: segmentation fault in librpmbuild.so.9 at stripTrailingBlanksStringBuf (sb=0x0) at misc.c:44
Product: [Fedora] Fedora Reporter: nvwarr
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 31CC: igor.raits, mjw, packaging-team-maint, pmatilai, pmoravco, vmukhame
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: rpm-4.15.0-0.rc1.1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-10 01:20:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Simple .spec file to illustrate the problem
none
Patch to only strip trailing blanks, when the string buffer is not NULL none

Description nvwarr 2019-07-23 06:10:36 UTC 
Created attachment 1592751 [details]
Simple .spec file to illustrate the problem

Description of problem:

If a spec file ends with a %postun line (without even a blank line after it), rpmspec and rpm-build give a segmentation fault


Version-Release number of selected component (if applicable):

rpm-build-libs-4.15.0-0.beta.2.fc31.x86_64

How reproducible:

Always

Steps to Reproduce:
1. With a spec file ending in a %postun line, say, test.spec
2. rpmspec -q test.spec

Actual results:

Segmentation fault (core dumped)
#0  stripTrailingBlanksStringBuf (sb=0x0) at misc.c:44
#1  0x00007ffff7f8621b in parseScript (spec=spec@entry=0x5555555b0770, parsePart=parsePart@entry=21) at parseScript.c:357
#2  0x00007ffff7f8821a in parseSpec (specFile=specFile@entry=0x7fffffffd9cf "test.spec", flags=flags@entry=3, buildRoot=buildRoot@entry=0x0, 
    recursing=recursing@entry=0) at parseSpec.c:950
#3  0x00007ffff7f88b3b in rpmSpecParse (specFile=specFile@entry=0x7fffffffd9cf "test.spec", flags=flags@entry=3, buildRoot=buildRoot@entry=0x0)
    at parseSpec.c:1077
#4  0x00007ffff7f8d47f in rpmspecQuery (ts=0x55555559e830, qva=0x5555555592e0 <rpmQVKArgs>, arg=0x7fffffffd9cf "test.spec") at spec.c:517
#5  0x00007ffff7f245a6 in rpmcliArgIter () from /lib64/librpm.so.9
#6  0x00007ffff7f2486a in rpmcliQuery () from /lib64/librpm.so.9
#7  0x00005555555564e3 in main (argc=5, argv=<optimized out>) at rpmspec.c:78


Expected results:

Should write the name and version of the package. Adding a blank line after the %postun line works around the problem.

Additional info:

I hit this bug during a mass rebuild of all our in-house software for rawhide. Some of them had this issue.

It seems that the call to parseLines (parseScript.c:355) returns sb as NULL, which is passed onto stripTrailingBlanksStringBuf. Even if that is skipped, the following line results in p being NULL, which is then dereferenced 72 lines later.

I think the solution is to only call stripTrailingBlanksStringBuf and getStringBuf if sb is not NULL and set p = "" otherwise.
Comment 1 nvwarr 2019-07-23 06:12:00 UTC 
Created attachment 1592752 [details]
Patch to only strip trailing blanks, when the string buffer is not NULL
Comment 2 Ben Cotton 2019-08-13 18:57:55 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.
Comment 3 Panu Matilainen 2019-08-14 14:35:50 UTC 
Right, this is a regression introduced in refactoring during 4.15 development. Thanks for the report, reproducer and patch!
As often is the case, where there's one there's more and this is no different, there's a similar crash with empty %description at end of spec. 

Proposed upstream fix for both at https://github.com/rpm-software-management/rpm/pull/816

I'd prefer using your real name for credits over "nvwarr" though.
Comment 4 Fedora Update System 2019-08-28 11:28:43 UTC 
FEDORA-2019-e4b6ffd824 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e4b6ffd824
Comment 5 Fedora Update System 2019-08-29 21:01:44 UTC 
rpm-4.15.0-0.rc1.1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e4b6ffd824
Comment 6 Fedora Update System 2019-09-10 01:20:53 UTC 
rpm-4.15.0-0.rc1.1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.