Bug 10620 – RPM attempts to free corrupted memory in headerFree()

Bug 10620 - RPM attempts to free corrupted memory in headerFree()

Summary:	RPM attempts to free corrupted memory in headerFree()

Status:	CLOSED WORKSFORME

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	rpm (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	i386 Linux

Priority	medium Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Jeff Johnson
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-04-06 14:09 EDT by Jonathan Briggs
Modified:	2008-05-01 11:37 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2000-04-13 07:09:14 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jonathan Briggs 2000-04-06 14:09:17 EDT

RPM seg-faults after doing these two commands:
rpm -Uvv --force ~/updates/kernel-2.2.13-0.13.i686.rpm
rpm -Uvv --force /mnt/cd2/RPMS/kernel-2.2.13-0.13.i386.rpm

updates/kernel-2.2.13-0.13.i686.rpm is from the Redhat 6.1 OEM CD.
/mnt/cd2/RPMS/kernel-2.2.13-0.13.i386.rpm is a customized kernel.
This custom kernel is available with ftp at 199.45.143.80.
Username: redhat
Password: bugfix

I added some debugging messages to rpm and ran it with the environment
setting MALLOC_CHECK_=1
Here is the relevant output.  This is during binary package install, after
the packages have been installed, just before the function
markReplacedFiles exits.

D: entering headerFree(0x8189c40)
D: usageCount: 1
D: freeing h->index[0].data: 0x8189d48
D: freeing h->index[1].data: 0x8189d38
D: freeing h->index[2].data: 0x8189d58
D: freeing h->index[3].data: 0x8189d68
D: freeing h->index[4].data: 0x8189dc0
D: freeing h->index[5].data: 0x8189f00
D: freeing h->index[6].data: 0x8189ff8
D: freeing h->index[7].data: 0x818a008
D: freeing h->index[8].data: 0x818a1b0
free(): invalid pointer 0x818a1b0!
D: freeing h->index[9].data: 0x818a1c0
free(): invalid pointer 0x818a1c0!
D: freeing h->index[10].data: 0x818a1d0
free(): invalid pointer 0x818a1d0!
D: freeing h->index[11].data: 0x818a208
D: freeing h->index[12].data: 0x818a228
D: freeing h->index[13].data: 0x818a238
D: freeing h->index[14].data: 0x8189d78
D: freeing h->index[15].data: 0x818a248
D: freeing h->index[16].data: 0x81768c8
D: freeing h->index[17].data: 0x817a238
D: freeing h->index[18].data: 0x818a028
Segmentation fault (core dumped)

Comment 1 Jeff Johnson 2000-04-06 14:37:59 EDT

What version of rpm?

Have you done a "rpm --rebuilddb"? There are segfaults in rpm due to a
database left in an inconsistent state ...

Also, if you've gotten as far as recompiling rpm with debugging messages,
can you print out the tag value:

	h->index[i]->info.tag

If there really is an allocation problem, the mistake is freeing data
that was returned by headerGetEntry() without checking the type of
data returned.

Comment 2 Jonathan Briggs 2000-04-07 11:52:59 EDT

This is rpm 3.0.3, from package rpm-3.0.3-2.i386.rpm

rpm --rebuilddb does not seem to affect it.

Here is the output with h->index[i].info.tag and type:
D: entering headerFree(0x8189c20)
D: usageCount: 1
D: freeing h->index[0].data: 0x8189d28 .info.tag: 100 .info.type: 8
D: freeing h->index[1].data: 0x8189d18 .info.tag: 1000 .info.type: 6
D: freeing h->index[2].data: 0x8189d38 .info.tag: 1001 .info.type: 6
D: freeing h->index[3].data: 0x8189d48 .info.tag: 1002 .info.type: 6
D: freeing h->index[4].data: 0x8189d58 .info.tag: 1004 .info.type: 9
D: freeing h->index[5].data: 0x8189e98 .info.tag: 1005 .info.type: 9
D: freeing h->index[6].data: 0x8189f90 .info.tag: 1006 .info.type: 4
D: freeing h->index[7].data: 0x8189fa0 .info.tag: 1007 .info.type: 6
D: freeing h->index[8].data: 0x818a148 .info.tag: 1008 .info.type: 4
free(): invalid pointer 0x818a148!
D: freeing h->index[9].data: 0x818a158 .info.tag: 1009 .info.type: 4
free(): invalid pointer 0x818a158!
D: freeing h->index[10].data: 0x818a168 .info.tag: 1014 .info.type: 6
free(): invalid pointer 0x818a168!
D: freeing h->index[11].data: 0x818a1a0 .info.tag: 1016 .info.type: 9
D: freeing h->index[12].data: 0x818a1c0 .info.tag: 1021 .info.type: 6
D: freeing h->index[13].data: 0x818a1d0 .info.tag: 1022 .info.type: 6
D: freeing h->index[14].data: 0x818a1e0 .info.tag: 1023 .info.type: 6
D: freeing h->index[15].data: 0x818a220 .info.tag: 1024 .info.type: 6
D: freeing h->index[16].data: 0x81768d0 .info.tag: 1027 .info.type: 8
D: freeing h->index[17].data: 0x817a240 .info.tag: 1028 .info.type: 4
D: freeing h->index[18].data: 0x8189fc0 .info.tag: 1029 .info.type: 1
Segmentation fault (core dumped)

Comment 3 Jeff Johnson 2000-04-07 12:09:59 EDT

I believe I've fixed this in rpm-3.0.4 (from Raw Hide or ftp.rpm.org).
Can you verify if the problem persists there? Thanks.

Comment 4 Jonathan Briggs 2000-04-10 17:32:59 EDT

After building and installing rpm 3.0.4, I tried it again and got the same
segmentation fault.  Then I did a rebuilddb, and tried it, and it worked
correctly.

Thanks.

Comment 5 Jeff Johnson 2000-04-13 07:09:59 EDT

This problem appears to be resolved.

Note You need to log in before you can comment on or make changes to this bug.