Bug 83315

Summary: crash when reading package header on some bad formed files.
Product: [Retired] Red Hat Linux Reporter: Fabrice Bellet <fabrice>
Component: librpm404Assignee: Jeff Johnson <jbj>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 18:51:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabrice Bellet 2003-02-02 12:08:01 UTC 
Description of problem:

rpm2html crashes when reading package header of some wrong formed RPMS
packages, using librpm404 (rpm-4.1 is safe, but I cannot use it to 
reindex my whole rpm database on fr2.rpmfind.net, because there are
performance issues. The same amount of input rpm requires 4 hours
processing with rpm-4.0.4, and 12 hours with rpm-4.1 libs)

Version-Release number of selected component (if applicable):
Red Hat 8.0, librpm4.0.4

How reproducible:

when rpm2html parses bad formed RPM packages, for example in
ftp3.sourceforge.net/pub/sourceforge/celticlegend/celticlegends-0.11-beta.i386.rpm

The stack is :

rpm2html: indexing /var/ftp/linux/sourceforge
indexing SourceForge
Scanning directory /var/ftp/linux/sourceforge for RPMs
warning: Expected size:      1291231 = lead(96)+sigs(100)+pad(4)+data(1291031)
warning:   Actual size:      1294910

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 31269)]
0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, 
    dataStart=0x8083f58 "", regionid=-800) at header.c:470
470                     *it = htons(*it);
(gdb) bt
#0  0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, 
    dataStart=0x8083f58 "", regionid=-800) at header.c:470
#1  0x4011fc4e in headerLoad (uh=0x8083c30) at header.c:931
#2  0x401203a7 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES)
    at header.c:1168
#3  0x40127aa3 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES)
    at hdrinline.h:203
#4  0x401276c3 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, 
    sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:182
#5  0x40127975 in rpmReadPackageHeader (fd=0x80818c8, hdrp=0xbffff2c8, 
    isSource=0xbffff2cc, major=0x0, minor=0x0) at package.c:266
#6  0x08059729 in rpmOpen (
    nameRpm=0x80808eb "celticlegends-0.11-beta.i386.rpm", dir=0x807be08, 
    tree=0x8080808) at rpmopen.c:1022
#7  0x08059bd3 in rpmOneDirScan (dir=0x807be08, tree=0x8080808)
    at rpmopen.c:1244
#8  0x08059b92 in rpmOneDirScan (dir=0x807be08, tree=0x807f740)
    at rpmopen.c:1271
#9  0x08059d37 in rpmDirScan (dir=0x807be08, tree=0x806c7e0) at rpmopen.c:1309
#10 0x0805a060 in rpmDirScanOneDir (directory=0x807be08 "P¼\a\b")
    at rpmopen.c:1446
#11 0x08055661 in main (argc=4, argv=0xbffff8b4) at rpm2html.c:180
#12 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

(gdb) b rpmReadSignature
Breakpoint 1 at 0x4013a72c: file signature.c, line 160.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/bellet/cvs/rpm2html-rpm404/rpm2html -dir
/var/ftp/linux/sourceforge rpm2html-local.config
Breakpoint 1 at 0x8049938
Breakpoint 1 at 0x4013a72c: file signature.c, line 160.
[New Thread 8192 (LWP 31408)]
error: Unable to open /usr/local/lib/rpm/rpmrc for reading: No such file or
directory.
rpm2html: indexing /var/ftp/linux/sourceforge
indexing SourceForge
Scanning directory /var/ftp/linux/sourceforge for RPMs
[Switching to Thread 8192 (LWP 31408)]

Breakpoint 1, rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, 
    sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160
160         Header h = NULL;
(gdb) finish
Run till exit from #0  rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, 
    sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160
warning: Expected size:      1291231 = lead(96)+sigs(100)+pad(4)+data(1291031)
warning:   Actual size:      1294910
0x40127687 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, 
    sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:179
179             rc = rpmReadSignature(fd, sigs, lead->signature_type);
Value returned is $1 = RPMRC_BADSIZE
(gdb) 

--> A possible patch is to exit from readPackageHeaders() when
rpmReadSignature() returns RPMRC_BADSIZE.

--- rpm-4.0.3/lib/package.c.bak Wed Jul 11 04:05:22 2001
+++ rpm-4.0.3/lib/package.c     Sun Nov 25 02:19:07 2001
@@ -135,7 +135,7 @@
     case 3:
     case 4:
        rc = rpmReadSignature(fd, sigs, lead->signature_type);
-       if (rc == RPMRC_FAIL)
+       if (rc == RPMRC_FAIL || rc == RPMRC_BADSIZE)
            return rc;
        *hdr = headerRead(fd, (lead->major >= 3)
                          ? HEADER_MAGIC_YES : HEADER_MAGIC_NO);
Comment 1 Jeff Johnson 2003-02-02 13:53:35 UTC 
Avoiding segfaults when fed random data is (of course)
the entire reason why rpm-4.1 verifies signatures/digests
when reading headers. I'm almost certain that this segfault
is -- like most segfaults in rpm -- caused by bad data in
headers.

Returning RPMRC_BADSIZE is certainly doable, but is a little
trickier than above.

If rpm-4.1 "works" performs equivalently to rpm-4.0.4 with
signature/digest checking disabled (it should), then I suggest
fixing the problem there, not in rpm-4.0.4.
Comment 2 Jeff Johnson 2003-02-02 13:55:26 UTC 

*** This bug has been marked as a duplicate of 83320 ***
Comment 3 Red Hat Bugzilla 2006-02-21 18:51:33 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.