Bug 107835 - dangling pointer in rpm causes random segfaults and other crashes
Summary: dangling pointer in rpm causes random segfaults and other crashes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm
Version: 9
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: Mike McLean
URL:
Whiteboard:
: 108032 112489 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-23 15:59 UTC by Philip Spencer
Modified: 2007-04-18 16:58 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-12-18 02:51:11 UTC
Embargoed:


Attachments (Terms of Use)
Patch to fix segfaults in rpm-4.2-1 (1.63 KB, patch)
2003-10-23 16:00 UTC, Philip Spencer
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:098 0 normal SHIPPED_LIVE Updated rpm package fixes several bugs 2004-05-12 04:00:00 UTC

Description Philip Spencer 2003-10-23 15:59:37 UTC
**** I created this yesterday as bug#107784. Bugzilla wouldn't accept an
attachment upload from my old Netscape browser, then bugzilla went "down for
maintenance; try again later" before I could upload it Mozilla. Now it is
telling me I do not have permission to view bug#107784 (even after logging in).
???????? What is up with Bugzilla ?????????
So I am refiling it as a new bug report.
*****************************************************************************

Description of problem:
After experiencing various seemingly random segmentation faults in rpm (example:
on our system, "rpm -q -f /etc/profile" when run as root causes a segfault,
whereas it doesn't when run as an ordinary user) and other crashes and freezes,
and with the problems persisting even after updating to the latest rpm-4.2-1
from the rpm ftp site as suggested in other bug reports, I eventually tracked
the problem down with the help of "electric fence" to a dangling pointer in
rpmdb/rpmdb.c.

In the function rpmdbNextIterator, in the block of code beginning at line 2279,
the local pointer variable "set" stores a copy of mi->mi_db->db_bits. A few
lines further down, "set" is dereferenced to mark the header as checked.
However, in between, the call to mi->mi_hdrchk may recursively call
rpmdbNextIterator when searching for imported gpg keys to validate the
signature. In the process, the memory pointed to by "set" may be
reallocated, and "set" becomes a dangling pointer.

I have attached a patch which fixes this problem. It also fixes another more
minor problem that will also cause a segfault if rpm is run under Electric Fence
but would unlikely cause any problems otherwise.

Version-Release number of selected component (if applicable):
rpm-4.2-1

How reproducible:
Always

Steps to Reproduce:
1. Install Electric Fence and make sure a lot of RPM packages are installed.
2. Run "ef rpm -q /etc/profile".


Actual Results:  % ef rpm -q -f /etc/profile

  Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce>
  Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce>
/usr/bin/ef: line 20:  8513 Segmentation fault      ( export
LD_PRELOAD=libefence.so.0.0; exec $* )

This always segfaults on our system. Without the "ef", it segfaults
occasionally.

(If the above procedure doesn't reproduce the problem on a different system, it
may be necessary to substitute a different file for /etc/profile to see the
segfault, and or set the environment variable EF_PROTECT_FREE=1.)

Expected Results:  When the attached patch is applied:

% ef rpm -q -f /etc/profile

  Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce>
  Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce>
setup-2.5.25-1

Comment 1 Philip Spencer 2003-10-23 16:00:53 UTC
Created attachment 95431 [details]
Patch to fix segfaults in rpm-4.2-1

Comment 2 Jef Spaleta 2003-11-05 17:41:08 UTC
I'm trying to confirm this on my rhl9 box, and I'm having trouble
reproducing this at all. So its either very subtle or I'm just super
lucky :->.  

  1. Install Electric Fence and make sure a lot of RPM packages are   
  installed.

I have 1300 or so rpms installed, does that count as a lot?

I'd like to nominate this via tracker bug, if I can confirm it.
If this is a subtle issue, maybe i can confirm it if i had access to
your /var/lib/rpm tree and use rpm with the --dbpath switch to query
your rpmdb local on my system. If you could tarball up your
/var/lib/rpm directory and give me a place to grab it that might be a
useful way for me to attempt to confirm your problem.

Comment 3 Philip Spencer 2003-11-12 22:00:31 UTC
I have 1279 rpms installed so yes, 1300 should be sufficient. You may
need to set EF_PROTECT_FREE=1 in the environment to guarantee that eff
traps the error.

You can access one of our /var/lib/rpm trees (with a few changes since
I last had the problem -- for one thing, I've installed my patched
version of rpm since then!) at
http://www.fields.utoronto.ca/~pspencer/varlibrpm.tgz

It shouldn't be necessary, though. The code clearly reveals that a
copy of a pointer is held in a local variable across a call to
functions that could potentially realloc the pointed-to memory.
Whether any re-alloc'ing will actually occur, of course, depends on
whether or not the originally alloc'd space is sufficient, which will
presumably depend on the order of packages, etc., etc.

Comment 4 Jeff Johnson 2003-12-18 02:51:11 UTC
Yup, very nice catch, thank you for the patch. Yes, obvious
by inspection, but very hard to explicitly reproduce.

Apologies for the delay, needed to get rpm devel restarted first.

Fixed in rpm-4.2.2-0.6 (when built) and later.

Comment 5 Kasper Dupont 2003-12-22 07:59:43 UTC
*** Bug 112489 has been marked as a duplicate of this bug. ***

Comment 6 John Flanagan 2004-05-12 04:27:15 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-098.html


Comment 7 Paul Nasrat 2005-09-26 21:39:01 UTC
*** Bug 108032 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.