Bug 442761

Summary:	* glibc detected * /usr/lib/rpm/rpmk: free(): invalid next size (normal): 0x0000000001f5fee0 ***
Product:	[Fedora] Fedora	Reporter:	Bill Nottingham <notting>
Component:	rpm	Assignee:	Panu Matilainen <pmatilai>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	9	CC:	herrold, jnovy, pnasrat, rvokal
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-01-07 09:28:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Bill Nottingham 2008-04-16 17:19:33 UTC

Description of problem:

konq-plugins-4.0.3-0.1.20080409svn.fc9.ppc.rpm:
gpg: WARNING: standard input reopened
*** glibc detected *** /usr/lib/rpm/rpmk: free(): invalid next size (normal):
0x0000000001f5fee0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x305fc78158]
/lib64/libc.so.6(cfree+0x76)[0x305fc7a796]
/lib64/libc.so.6(qsort_r+0x308)[0x305fc34ee8]
/usr/lib64/librpmdb-4.4.so[0x3061c2b12f]
/usr/lib64/librpmdb-4.4.so[0x3061c2cd44]
/usr/lib64/librpmdb-4.4.so[0x3061c2d7e1]
/usr/lib64/librpm-4.4.so[0x3062446e09]
/usr/lib64/librpm-4.4.so(rpmAddSignature+0x20a)[0x30624472fa]
/usr/lib64/librpm-4.4.so[0x306242e08b]
/usr/lib64/librpm-4.4.so(rpmcliSign+0x24d)[0x306242fbfd]
/usr/lib/rpm/rpmk[0x401f5e]
/lib64/libc.so.6(__libc_start_main+0xfa)[0x305fc1e32a]
/usr/lib/rpm/rpmk[0x401859]
======= Memory map: ========
00110000-00126000 r-xp 00000000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00126000-00325000 ---p 00016000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00325000-00326000 rw-p 00015000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00400000-00403000 r-xp 00000000 08:02 9727600                           
/usr/lib/rpm/rpmk
00602000-00604000 rw-p 00002000 08:02 9727600                           
/usr/lib/rpm/rpmk
00604000-0063d000 r-xp 00000000 08:02 10972059                          
/lib64/libsoftokn3.so
0063d000-0083c000 ---p 00039000 08:02 10972059                          
/lib64/libsoftokn3.so
0083c000-0083e000 rw-p 00038000 08:02 10972059                          
/lib64/libsoftokn3.so
0083e000-00890000 r-xp 00000000 08:02 9481928                           
/lib64/libfreebl3.so
00890000-00a90000 ---p 00052000 08:02 9481928                           
/lib64/libfreebl3.so
00a90000-00a91000 rw-p 00052000 08:02 9481928                           
/lib64/libfreebl3.so
01eab000-01f80000 rw-p 01eab000 00:00 0                                  [heap]
305f800000-305f81d000 r-xp 00000000 08:02 9481853                       
/lib64/ld-2.8.so
305fa1c000-305fa1d000 r--p 0001c000 08:02 9481853                       
/lib64/ld-2.8.so
305fa1d000-305fa1e000 rw-p 0001d000 08:02 9481853                       
/lib64/ld-2.8.so
305fc00000-305fd62000 r-xp 00000000 08:02 11004774                      
/lib64/libc-2.8.so
305fd62000-305ff62000 ---p 00162000 08:02 11004774                      
/lib64/libc-2.8.so
305ff62000-305ff66000 r--p 00162000 08:02 11004774                      
/lib64/libc-2.8.so
305ff66000-305ff67000 rw-p 00166000 08:02 11004774                      
/lib64/libc-2.8.so
305ff67000-305ff6c000 rw-p 305ff67000 00:00 0 
3060000000-3060084000 r-xp 00000000 08:02 11004857                      
/lib64/libm-2.8.so
3060084000-3060283000 ---p 00084000 08:02 11004857                      
/lib64/libm-2.8.so
3060283000-3060284000 r--p 00083000 08:02 11004857                      
/lib64/libm-2.8.so
3060284000-3060285000 rw-p 00084000 08:02 11004857                      
/lib64/libm-2.8.so
3060400000-3060402000 r-xp 00000000 08:02 11004848                      
/lib64/libdl-2.8.so
3060402000-3060602000 ---p 00002000 08:02 11004848                      
/lib64/libdl-2.8.so
3060602000-3060603000 r--p 00002000 08:02 11004848                      
/lib64/libdl-2.8.so
3060603000-3060604000 rw-p 00003000 08:02 11004848                      
/lib64/libdl-2.8.so
3060800000-3060816000 r-xp 00000000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060816000-3060a15000 ---p 00016000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a15000-3060a16000 r--p 00015000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a16000-3060a17000 rw-p 00016000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a17000-3060a1b000 rw-p 3060a17000 00:00 0 
3060c00000-3060c1a000 r-xp 00000000 08:02 11004849                      
/lib64/libselinux.so.1
3060c1a000-3060e19000 ---p 0001a000 08:02 11004849                      
/lib64/libselinux.so.1
3060e19000-3060e1a000 r--p 00019000 08:02 11004849                      
/lib64/libselinux.so.1
3060e1a000-3060e1b000 rw-p 0001a000 08:02 11004849                      
/lib64/libselinux.so.1
3060e1b000-3060e1c000 rw-p 3060e1b000 00:00 0 
3061000000-3061015000 r-xp 00000000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061015000-3061214000 ---p 00015000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061214000-3061215000 rw-p 00014000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061400000-3061463000 r-xp 00000000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061463000-3061662000 ---p 00063000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061662000-3061667000 rw-p 00062000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061667000-3061689000 rw-p 3061667000 00:00 0 
3061800000-3061807000 r-xp 00000000 08:02 11004862                      
/lib64/librt-2.8.so
3061807000-3061a07000 ---p 00007000 08:02 11004862                      
/lib64/librt-2.8.so
3061a07000-3061a08000 r--p 00007000 08:02 11004862                      
/lib64/librt-2.8.so
3061a08000-3061a09000 rw-p 00008000 08:02 11004862                      
/lib64/librt-2.8.so
3061c00000-3061d19000 r-xp 00000000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061d19000-3061f18000 ---p 00119000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061f18000-3061f1f000 rw-p 00118000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061f1f000-3061f20000 rw-p 3061f1f000 00:00 0 
3062400000-306245c000 r-xp 00000000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
306245c000-306265b000 ---p 0005c000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
306265b000-3062660000 rw-p 0005b000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
3062660000-3062693000 rw-p 3062660000 00:00 0 
306e000000-306e008000 r-xp 00000000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306e008000-306e208000 ---p 00008000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306e208000-306e209000 rw-p 00008000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306f400000-306f46c000 r-xp 00000000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f46c000-306f66c000 ---p 0006c000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f66c000-306f66f000 rw-p 0006c000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f800000-306f813000 r-xp 00000000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306f813000-306fa12000 ---p 00013000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306fa12000-306fa13000 r--p 00012000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306fa13000-306fa14000 rw-p 00013000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
3070000000-3070003000 r-xp 00000000 08:02 11004889                      
/lib64/libplds4.so
3070003000-3070202000 ---p 00003000 08:02 11004889                      
/lib64/libplds4.so
3070202000-3070203000 rw-p 00002000 08:02 11004889                      
/lib64/libplds4.so
3071800000-3071804000 r-xp 00000000 08:02 11004890                      
/lib64/libplc4.so
3071804000-3071a03000 ---p 00004000 08:02 11004890                      
/lib64/libplc4.so
3071a03000-3071a04000 rw-p 00003000 08:02 11004890                      
/lib64/libplc4.so
3071c00000-3071c37000 r-xp 00000000 08:02 11004888                      
/lib64/libnspr4.so
3071c37000-3071e37000 ---p 00037000 08:02 11004888                      
/lib64/libnspr4.so
3071e37000-3071e39000 rw-p 00037000 08:02 11004888                      
/lib64/libnspr4.so
3071e39000-3071e3c000 rw-p 3071e39000 00:00 0 
3072400000-3072541000 r-xp 00000000 08:02 11004893                      
/lib64/libnss3.so
3072541000-3072740000 ---p 00141000 08:02 11004893                      
/lib64/libnss3.so
3072740000-3072749000 rw-p 00140000 08:02 11004893                      
/lib64/libnss3.so
3072749000-307274a000 rw-p 3072749000 00:00 0 
3075800000-3075818000 r-xp 00000000 08:02 11004892                      
/lib64/libnssutil3.so
3075818000-3075a18000 ---p 00018000 08:02 11004892                      
/lib64/libnssutil3.so
3075a18000-3075a1d000 rw-p 00018000 08:02 11004892                      
/lib64/libnssutil3.so
34f0800000-34f080f000 r-xp 00000000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
34f080f000-34f0a0e000 ---p 0000f000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
34f0a0e000-34f0a10000 rw-p 0000e000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
7f8748000000-7f8748021000 rw-p 7f8748000000 00:00 0 
7f8748021000-7f874c000000 ---p 7f8748021000 00:00 0 
7f874ccf0000-7f87518a1000 r--p 00000000 08:02 361150                    
/usr/lib/locale/locale-archive

Happened when signing a package.

Version-Release number of selected component (if applicable):

rpm-4.4.2.3-1.fc9.x86_64
glibc-2.8-1.x86_64

How reproducible:

Every time.

Comment 1 Bill Nottingham 2008-04-16 17:38:01 UTC

[Switching to Thread 0x7f44ba60a780 (LWP 8895)]
0x000000305fc32215 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x000000305fc32215 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x000000305fc33d83 in abort () at abort.c:88
#2  0x000000305fc72858 in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x000000305fc78158 in malloc_printerr (action=<value optimized out>,
str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949
#4  0x000000305fc7a796 in __libc_free (mem=<value optimized out>) at malloc.c:3625
#5  0x000000305fc34ee8 in qsort_r (b=<value optimized out>, n=<value optimized
out>, s=<value optimized out>, cmp=<value optimized out>, arg=<value optimized out>)
    at msort.c:296
#6  0x0000003061c2b12f in headerSort (h=<value optimized out>) at header.c:266
#7  0x0000003061c2cd44 in doHeaderUnload (h=<value optimized out>,
lengthPtr=<value optimized out>) at header.c:859
#8  0x0000003061c2d7e1 in headerWrite (fd=<value optimized out>, h=<value
optimized out>, magicp=<value optimized out>) at header.c:1348
#9  0x0000003062446e09 in makeHDRSignature (sigh=<value optimized out>,
file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value
optimized out>)
    at ../rpmdb/hdrinline.h:220
#10 0x00000030624472fa in rpmAddSignature (sigh=<value optimized out>,
file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value
optimized out>)
    at signature.c:842
#11 0x000000306242e08b in rpmReSign (ts=<value optimized out>, qva=<value
optimized out>, argv=<value optimized out>) at rpmchecksig.c:329
#12 0x000000306242fbfd in rpmcliSign (ts=<value optimized out>, qva=<value
optimized out>, argv=<value optimized out>) at rpmchecksig.c:1079
#13 0x0000000000401f5e in main (argc=5, argv=<value optimized out>) at ./rpmqv.c:840

Comment 2 Bill Nottingham 2008-04-16 17:42:05 UTC

valgrind says:
Pass phrase is good.
gpg: WARNING: standard input reopened
==9094== 
==9094== Invalid read of size 4
==9094==    at 0x3061C2BC8B: regionSwab (header.c:563)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd
==9094==    at 0x4A0739E: malloc (vg_replace_malloc.c:207)
==9094==    by 0x3061C2C8B8: doHeaderUnload (header.c:704)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094== 
==9094== Invalid write of size 4
==9094==    at 0x3061C2BC91: regionSwab (header.c:563)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd
==9094==    at 0x4A0739E: malloc (vg_replace_malloc.c:207)
==9094==    by 0x3061C2C8B8: doHeaderUnload (header.c:704)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094== 
==9094== Invalid read of size 1
==9094==    at 0x3061C2A647: dataLength (header.c:415)
==9094==    by 0x3061C2BB3F: regionSwab (header.c:513)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508ca84 is not stack'd, malloc'd or (recently) free'd
--9094-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--9094-- si_code=1;  Faulting address: 0xA6B1C158;  sp: 0x402E8BE50

valgrind: the 'impossible' happened:
   Killed by fatal signal
==9094==    at 0x3802421D: vgPlain_arena_malloc (m_mallocfree.c:206)
==9094==    by 0x38002A75: vgMemCheck_new_block (mc_malloc_wrappers.c:195)
==9094==    by 0x38002E74: vgMemCheck_malloc (mc_malloc_wrappers.c:226)
==9094==    by 0x38038051: vgPlain_scheduler (scheduler.c:1269)
==9094==    by 0x38048620: run_a_thread_NORETURN (syswrap-linux.c:89)

Comment 3 Bill Nottingham 2008-04-16 17:54:41 UTC

test rpm is at http://notting.fedorapeople.org/test.rpm

Comment 4 Kevin Kofler 2008-04-16 18:04:11 UTC

Looks like this package got corrupted by the build system file system issues. 
The way RPM reacts to it scares me though, looks like a potential security 
hole!

Comment 5 Panu Matilainen 2008-04-18 06:01:30 UTC

Yup, easily reproduced. The package is corrupted alright and other paths notice
something funny about it:
[pmatilai@localhost rpm-4.4.x]$ ./rpmk -Kvv /tmp/test.rpm 
D: Expected size:      1625030 = lead(96)+sigs(180)+pad(4)+data(1624750)
D:   Actual size:      1625030
error: /tmp/test.rpm: headerGetEntry failed
D: May free Score board((nil))

[pmatilai@localhost rpm-4.4.x]$ ./rpmq -qp /tmp/test.rpm 
warning: /tmp/test.rpm: Header SHA1 digest: NOKEY
konq-plugins-4.0.3-0.1.20080409svn.fc9.ppc

Comment 6 Panu Matilainen 2008-05-08 06:11:29 UTC

Fixed upstream.

Comment 7 Bug Zapper 2008-05-14 09:32:32 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 8 Panu Matilainen 2008-07-14 12:08:35 UTC

Fixed by the new rpm in rawhide, but deserves a fix in 4.4.x branch (and F8+9)
too...

Comment 9 Fedora Update System 2008-12-18 00:37:05 UTC

rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update rpm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11390

Comment 10 Fedora Update System 2009-01-07 09:28:31 UTC

rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.