Bug 190010

Summary: Double free in rpm with unavailable remote repository
Product: [Fedora] Fedora Reporter: Jerry James <loganjerry>
Component: rpmAssignee: Paul Nasrat <nobody+pnasrat>
Status: CLOSED DUPLICATE QA Contact: Mike McLean <mikem>
Severity: high Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-27 21:35:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry James 2006-04-26 17:33:11 UTC 
Description of problem:
I attempted "rpm -ivh http://rpm.livna.org/livna-release-5.rpm" at a time when
rpm.livna.org was down and got the following.  This is a gdb transcript, after
installing the rpm and glibc debuginfo packages:

(gdb) run -ivh http://rpm.livna.org/livna-release-5.rpm
Starting program: /bin/rpm -ivh http://rpm.livna.org/livna-release-5.rpm
[Thread debugging using libthread_db enabled]
[New Thread 46912496451264 (LWP 17632)]
Retrieving http://rpm.livna.org/livna-release-5.rpm
error: skipping http://rpm.livna.org/livna-release-5.rpm - transfer failed -
Unknown or unexpected error
*** glibc detected *** /bin/rpm: double free or corruption (out):
0x00000033acb44be0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x33ac96d7a3]
/lib64/libc.so.6(__libc_free+0x84)[0x33ac96d924]
/usr/lib64/librpmio-4.4.so(XurlFree+0x2b0)[0x385fb311a0]
/usr/lib64/librpmio-4.4.so(urlFreeCache+0x71)[0x385fb31e81]
/bin/rpm[0x4040dc]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x33ac91d084]
/bin/rpm[0x403949]
======= Memory map: ========
00400000-00413000 r-xp 00000000 fd:00 3007702                            /bin/rpm
00512000-00515000 rw-p 00012000 fd:00 3007702                            /bin/rpm
00515000-00521000 rw-p 00515000 00:00 0
00614000-00617000 rw-p 00014000 fd:00 3007702                            /bin/rpm
00617000-00dd2000 rw-p 00617000 00:00 0                                  [heap]
33ac500000-33ac519000 r-xp 00000000 fd:00 1634416                       
/lib64/ld-2.4.so
33ac619000-33ac61a000 r--p 00019000 fd:00 1634416                       
/lib64/ld-2.4.so
33ac61a000-33ac61b000 rw-p 0001a000 fd:00 1634416                       
/lib64/ld-2.4.so
33ac700000-33ac714000 r-xp 00000000 fd:00 5850107                       
/usr/lib64/libz.so.1.2.3
33ac714000-33ac813000 ---p 00014000 fd:00 5850107                       
/usr/lib64/libz.so.1.2.3
33ac813000-33ac814000 rw-p 00013000 fd:00 5850107                       
/usr/lib64/libz.so.1.2.3
33ac900000-33aca3f000 r-xp 00000000 fd:00 1634417                       
/lib64/libc-2.4.so
33aca3f000-33acb3f000 ---p 0013f000 fd:00 1634417                       
/lib64/libc-2.4.so
33acb3f000-33acb43000 r--p 0013f000 fd:00 1634417                       
/lib64/libc-2.4.so
33acb43000-33acb44000 rw-p 00143000 fd:00 1634417                       
/lib64/libc-2.4.so
33acb44000-33acb49000 rw-p 33acb44000 00:00 0
33acc00000-33acc80000 r-xp 00000000 fd:00 1634418                       
/lib64/libm-2.4.so
33acc80000-33acd80000 ---p 00080000 fd:00 1634418                       
/lib64/libm-2.4.so
33acd80000-33acd81000 r--p 00080000 fd:00 1634418                       
/lib64/libm-2.4.so
33acd81000-33acd82000 rw-p 00081000 fd:00 1634418                       
/lib64/libm-2.4.so
33ace00000-33ace02000 r-xp 00000000 fd:00 1634419                       
/lib64/libdl-2.4.so
33ace02000-33acf02000 ---p 00002000 fd:00 1634419                       
/lib64/libdl-2.4.so
33acf02000-33acf03000 r--p 00002000 fd:00 1634419                       
/lib64/libdl-2.4.so
33acf03000-33acf04000 rw-p 00003000 fd:00 1634419                       
/lib64/libdl-2.4.so
33ad000000-33ad01e000 r-xp 00000000 fd:00 7420474                       
/usr/lib64/libneon.so.25.0.5
33ad01e000-33ad11d000 ---p 0001e000 fd:00 7420474                       
/usr/lib64/libneon.so.25.0.5
33ad11d000-33ad11f000 rw-p 0001d000 fd:00 7420474                       
/usr/lib64/libneon.so.25.0.5
33ad200000-33ad229000 r-xp 00000000 fd:00 5849572                       
/usr/lib64/libbeecrypt.so.6.4.0
33ad229000-33ad328000 ---p 00029000 fd:00 5849572                       
/usr/lib64/libbeecrypt.so.6.4.0
33ad328000-33ad32c000 rw-p 00028000 fd:00 5849572                       
/usr/lib64/libbeecrypt.so.6.4.0
33ad800000-33ad812000 r-xp 00000000 fd:00 1634421                       
/lib64/libpthread-2.4.so
33ad812000-33ad912000 ---p 00012000 fd:00 1634421                       
/lib64/libpthread-2.4.so
33ad912000-33ad913000 r--p 00012000 fd:00 1634421                       
/lib64/libpthread-2.4.so
33ad913000-33ad914000 rw-p 00013000 fd:00 1634421                       
/lib64/libpthread-2.4.so
33ad914000-33ad918000 rw-p 33ad914000 00:00 0
33ada00000-33ada21000 r-xp 00000000 fd:00 1634420                       
/lib64/libexpat.so.0.5.0
33ada21000-33adb20000 ---p 00021000 fd:00 1634420                       
/lib64/libexpat.so.0.5.0
33adb20000-33adb23000 rw-p 00020000 fd:00 1634420                       
/lib64/libexpat.so.0.5.0
33ae400000-33ae411000 r-xp 00000000 fd:00 5850135                       
/usr/lib64/libelf-0.119.so
33ae411000-33ae510000 ---p 00011000 fd:00 5850135                       
/usr/lib64/libelf-0.119.so
33ae510000-33ae511000 rw-p 00010000 fd:00 5850135                       
/usr/lib64/libelf-0.119.so
33af000000-33af00d000 r-xp 00000000 fd:00 1634422                       
/lib64/libgcc_s-4.1.0-20060304.so.1
33af00d000-33af10d000 ---p 0000d000 fd:00 1634422
Program received signal SIGABRT, Aborted.
[Switching to Thread 46912496451264 (LWP 17632)]
0x00000033ac92f765 in *__GI_raise (sig=Variable "sig" is not available.
)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00000033ac92f765 in *__GI_raise (sig=Variable "sig" is not available.
)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00000033ac931050 in *__GI_abort () at abort.c:88
#2  0x00000033ac9665eb in __libc_message (do_abort=2,
    fmt=0x33aca17d88 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00000033ac96d7a3 in _int_free (av=0x33acb44980, mem=Variable "mem" is not
available.
) at malloc.c:5616
#4  0x00000033ac96d924 in *__GI___libc_free (mem=Variable "mem" is not available.
) at malloc.c:3447
#5  0x000000385fb311a0 in XurlFree (u=0xd9e540,
    msg=0x44e0 <Address 0x44e0 out of bounds>, file=0x385fb63240 "url.c",
    line=175) at url.c:65
#6  0x000000385fb31e81 in urlFreeCache () at url.c:175
#7  0x00000000004040dc in main (argc=3, argv=Variable "argv" is not available.
) at ./rpmqv.c:886
#8  0x00000033ac91d084 in __libc_start_main (main=0x403a40 <main>, argc=3,
    ubp_av=0x7ffffff28708, init=Variable "init" is not available.
) at libc-start.c:231
#9  0x0000000000403949 in _start ()
#10 0x00007ffffff286f8 in ?? ()
#11 0x0000000000000000 in ?? ()
(gdb) print *(urlinfo)0xd9e540
$1 = {nrefs = -1397470241, url = 0x33acb44be0 "�K��3", scheme = 0x0,
  user = 0x0, password = 0x0, host = 0x0, portstr = 0x0, proxyu = 0x0,
  proxyh = 0x0, proxyp = -1, port = 80, urltype = 4, ctrl = 0x0, data = 0x0,
  capabilities = 0xdb69e0, lockstore = 0xdb69c0, sess = 0x0, current = 0,
  total = 0, connstatus = 1, bufAlloced = 0, buf = 0x0, openError = 0,
  httpVersion = 0, httpHasRange = 1, magic = -804577584}

Version-Release number of selected component (if applicable):
rpm-4.4.2-15.2

How reproducible:
Always, as long as the URL points to a nonresponding host.

Steps to Reproduce:
1. rpm -ivh http://rpm.nosuchorg.org/thereisnosuchpackage.rpm
2.
3.
  
Actual results:
Glibc detects a double free and kills rpm

Expected results:
rpm should exit normally

Additional info:
I tried running the nonsense url under valgrind.  There is a bunch of output
(which somebody should probably look at), but the relevant part for this bug
report is this:

==17800== Invalid free() / delete / delete[]
==17800==    at 0x4905208: free (vg_replace_malloc.c:235)
==17800==    by 0x385FB3124B: XurlFree (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB31E80: urlFreeCache (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x4040DB: ??? (rpmqv.c:886)
==17800==    by 0x33AC91D083: __libc_start_main (in /lib64/libc-2.4.so)
==17800==  Address 0x8525F08 is 0 bytes inside a block of size 176 free'd
==17800==    at 0x4905208: free (vg_replace_malloc.c:235)
==17800==    by 0x385FB3124B: XurlFree (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB1D1B9: (within /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB1D524: davOpen (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB2697D: (within /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB26EA0: Fopen (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x385FB30C65: urlGetFile (in /usr/lib64/librpmio-4.4.so)
==17800==    by 0x35A9637B30: rpmInstall (in /usr/lib64/librpm-4.4.so)
==17800==    by 0x404927: ??? (rpmqv.c:790)
==17800==    by 0x33AC91D083: __libc_start_main (in /lib64/libc-2.4.so)

which implicates the urlFree in davInit (rpmio/rpmdav.c) as the place where the
first free() took place.
Comment 1 Jeff Johnson 2006-04-27 21:35:26 UTC 

*** This bug has been marked as a duplicate of 189107 ***