Bug 442761
Summary: | *** glibc detected *** /usr/lib/rpm/rpmk: free(): invalid next size (normal): 0x0000000001f5fee0 *** | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill Nottingham <notting> |
Component: | rpm | Assignee: | Panu Matilainen <pmatilai> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | herrold, jnovy, pnasrat, rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-07 09:28:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill Nottingham
2008-04-16 17:19:33 UTC
[Switching to Thread 0x7f44ba60a780 (LWP 8895)] 0x000000305fc32215 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x000000305fc32215 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x000000305fc33d83 in abort () at abort.c:88 #2 0x000000305fc72858 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x000000305fc78158 in malloc_printerr (action=<value optimized out>, str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949 #4 0x000000305fc7a796 in __libc_free (mem=<value optimized out>) at malloc.c:3625 #5 0x000000305fc34ee8 in qsort_r (b=<value optimized out>, n=<value optimized out>, s=<value optimized out>, cmp=<value optimized out>, arg=<value optimized out>) at msort.c:296 #6 0x0000003061c2b12f in headerSort (h=<value optimized out>) at header.c:266 #7 0x0000003061c2cd44 in doHeaderUnload (h=<value optimized out>, lengthPtr=<value optimized out>) at header.c:859 #8 0x0000003061c2d7e1 in headerWrite (fd=<value optimized out>, h=<value optimized out>, magicp=<value optimized out>) at header.c:1348 #9 0x0000003062446e09 in makeHDRSignature (sigh=<value optimized out>, file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value optimized out>) at ../rpmdb/hdrinline.h:220 #10 0x00000030624472fa in rpmAddSignature (sigh=<value optimized out>, file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value optimized out>) at signature.c:842 #11 0x000000306242e08b in rpmReSign (ts=<value optimized out>, qva=<value optimized out>, argv=<value optimized out>) at rpmchecksig.c:329 #12 0x000000306242fbfd in rpmcliSign (ts=<value optimized out>, qva=<value optimized out>, argv=<value optimized out>) at rpmchecksig.c:1079 #13 0x0000000000401f5e in main (argc=5, argv=<value optimized out>) at ./rpmqv.c:840 valgrind says: Pass phrase is good. gpg: WARNING: standard input reopened ==9094== ==9094== Invalid read of size 4 ==9094== at 0x3061C2BC8B: regionSwab (header.c:563) ==9094== by 0x3061C2CA3D: doHeaderUnload (header.c:777) ==9094== by 0x3061C2D7E0: headerWrite (header.c:1348) ==9094== by 0x3062446E08: makeHDRSignature (hdrinline.h:220) ==9094== by 0x30624472F9: rpmAddSignature (signature.c:842) ==9094== by 0x306242E08A: rpmReSign (rpmchecksig.c:329) ==9094== by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079) ==9094== by 0x401F5D: main (rpmqv.c:840) ==9094== Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd ==9094== at 0x4A0739E: malloc (vg_replace_malloc.c:207) ==9094== by 0x3061C2C8B8: doHeaderUnload (header.c:704) ==9094== by 0x3061C2D7E0: headerWrite (header.c:1348) ==9094== by 0x3062446E08: makeHDRSignature (hdrinline.h:220) ==9094== by 0x30624472F9: rpmAddSignature (signature.c:842) ==9094== by 0x306242E08A: rpmReSign (rpmchecksig.c:329) ==9094== by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079) ==9094== by 0x401F5D: main (rpmqv.c:840) ==9094== ==9094== Invalid write of size 4 ==9094== at 0x3061C2BC91: regionSwab (header.c:563) ==9094== by 0x3061C2CA3D: doHeaderUnload (header.c:777) ==9094== by 0x3061C2D7E0: headerWrite (header.c:1348) ==9094== by 0x3062446E08: makeHDRSignature (hdrinline.h:220) ==9094== by 0x30624472F9: rpmAddSignature (signature.c:842) ==9094== by 0x306242E08A: rpmReSign (rpmchecksig.c:329) ==9094== by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079) ==9094== by 0x401F5D: main (rpmqv.c:840) ==9094== Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd ==9094== at 0x4A0739E: malloc (vg_replace_malloc.c:207) ==9094== by 0x3061C2C8B8: doHeaderUnload (header.c:704) ==9094== by 0x3061C2D7E0: headerWrite (header.c:1348) ==9094== by 0x3062446E08: makeHDRSignature (hdrinline.h:220) ==9094== by 0x30624472F9: rpmAddSignature (signature.c:842) ==9094== by 0x306242E08A: rpmReSign (rpmchecksig.c:329) ==9094== by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079) ==9094== by 0x401F5D: main (rpmqv.c:840) ==9094== ==9094== Invalid read of size 1 ==9094== at 0x3061C2A647: dataLength (header.c:415) ==9094== by 0x3061C2BB3F: regionSwab (header.c:513) ==9094== by 0x3061C2CA3D: doHeaderUnload (header.c:777) ==9094== by 0x3061C2D7E0: headerWrite (header.c:1348) ==9094== by 0x3062446E08: makeHDRSignature (hdrinline.h:220) ==9094== by 0x30624472F9: rpmAddSignature (signature.c:842) ==9094== by 0x306242E08A: rpmReSign (rpmchecksig.c:329) ==9094== by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079) ==9094== by 0x401F5D: main (rpmqv.c:840) ==9094== Address 0x508ca84 is not stack'd, malloc'd or (recently) free'd --9094-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --9094-- si_code=1; Faulting address: 0xA6B1C158; sp: 0x402E8BE50 valgrind: the 'impossible' happened: Killed by fatal signal ==9094== at 0x3802421D: vgPlain_arena_malloc (m_mallocfree.c:206) ==9094== by 0x38002A75: vgMemCheck_new_block (mc_malloc_wrappers.c:195) ==9094== by 0x38002E74: vgMemCheck_malloc (mc_malloc_wrappers.c:226) ==9094== by 0x38038051: vgPlain_scheduler (scheduler.c:1269) ==9094== by 0x38048620: run_a_thread_NORETURN (syswrap-linux.c:89) test rpm is at http://notting.fedorapeople.org/test.rpm Looks like this package got corrupted by the build system file system issues. The way RPM reacts to it scares me though, looks like a potential security hole! Yup, easily reproduced. The package is corrupted alright and other paths notice something funny about it: [pmatilai@localhost rpm-4.4.x]$ ./rpmk -Kvv /tmp/test.rpm D: Expected size: 1625030 = lead(96)+sigs(180)+pad(4)+data(1624750) D: Actual size: 1625030 error: /tmp/test.rpm: headerGetEntry failed D: May free Score board((nil)) [pmatilai@localhost rpm-4.4.x]$ ./rpmq -qp /tmp/test.rpm warning: /tmp/test.rpm: Header SHA1 digest: NOKEY konq-plugins-4.0.3-0.1.20080409svn.fc9.ppc Fixed upstream. Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fixed by the new rpm in rawhide, but deserves a fix in 4.4.x branch (and F8+9) too... rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update rpm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11390 rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |