Bug 2053198
| Summary: | rsync segmentation fault | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Denis Silakov <dsilakov> |
| Component: | rsync | Assignee: | Michal Ruprich <mruprich> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Mejzlik <omejzlik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | omejzlik |
| Target Milestone: | rc | Keywords: | Patch, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rsync-3.2.3-11.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:14:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Denis, thanks for the report. Is it possible to reproduce this reliably on your side? Seems like the 'i' should be checked '< 0' before the assignment on line 408. But it would be hard to test this unless someone can reproduce this. Regards, Michal I failed to reproduce this up to now. The problem is that files[-1] in most cases point to some memory which is allowed to be access by the process. That area contains some garbage, but this doesn't lead to the process crash. And yes, check for 'i<0' should be performed in a separate condifiton. I will report it to upstream and send a PR there. Thanks! Created attachment 1863703 [details]
Patch
So I took Wayne's patch(basically your patch Denis) and decided to apply it to the copy-devices.diff before using it on code. Not the most brilliant way I am afraid but at least this way I don't have to add new code from the rsync-patches repo and just fix this one issue. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: rsync security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8291 |
Recently I've got a sigsegv of rsync rebuilt from RH 7 src.rpm, reported by abrt However, it looks like the same problem can appear with any modern version. The problem lies in the following line: rsync.c:408: if (i < 0 || !S_ISREG(cur_flist->files[i]->mode)) { What we expect to get in cur_flist->files[i] if 'i < 0' ? It is very likely that we will not have any access violation, but in my case I was unlucky and got sigsegv with i == -1: Backtrace: Program terminated with signal 11, Segmentation fault. #0 read_ndx_and_attrs (f_in=f_in@entry=3, f_out=f_out@entry=3, iflag_ptr=iflag_ptr@entry=0x7ffef8f60488, type_ptr=type_ptr@entry=0x7ffef8f60487 "\200\b", buf=buf@entry=0x7ffef8f61520 "", len_ptr=len_ptr@entry=0x7ffef8f6048c) at rsync.c:408 408 struct file_struct *file = cur_flist->files[i]; (gdb) bt #0 read_ndx_and_attrs (f_in=f_in@entry=3, f_out=f_out@entry=3, iflag_ptr=iflag_ptr@entry=0x7ffef8f60488, type_ptr=type_ptr@entry=0x7ffef8f60487 "\200\b", buf=buf@entry=0x7ffef8f61520 "", len_ptr=len_ptr@entry=0x7ffef8f6048c) at rsync.c:408 #1 0x00005581443857b5 in send_files (f_in=f_in@entry=3, f_out=f_out@entry=3) at sender.c:218 #2 0x000055814438f621 in client_run (f_in=3, f_out=3, pid=pid@entry=-1, argc=argc@entry=1, argv=argv@entry=0x5581446cb240) at main.c:1167 #3 0x00005581443b35da in start_socket_client (host=<optimized out>, remote_argc=remote_argc@entry=1, remote_argv=remote_argv@entry=0x5581446cb248, argc=argc@entry=1, argv=argv@entry=0x5581446cb240) at clientserver.c:133 #4 0x0000558144372404 in start_client (argv=0x5581446cb240, argc=1) at main.c:1380 #5 main (argc=2, argv=0x5581446cb240) at main.c:1757 (gdb) p i $2 = -1 (gdb) p ndx $3 = 636051 (gdb) p cur_flist->ndx_start; Invalid character ';' in expression. (gdb) p cur_flist->ndx_start $4 = 636052 (gdb)