Red Hat Bugzilla – Bug 107835
dangling pointer in rpm causes random segfaults and other crashes
Last modified: 2007-04-18 12:58:43 EDT
**** I created this yesterday as bug#107784. Bugzilla wouldn't accept an attachment upload from my old Netscape browser, then bugzilla went "down for maintenance; try again later" before I could upload it Mozilla. Now it is telling me I do not have permission to view bug#107784 (even after logging in). ???????? What is up with Bugzilla ????????? So I am refiling it as a new bug report. ***************************************************************************** Description of problem: After experiencing various seemingly random segmentation faults in rpm (example: on our system, "rpm -q -f /etc/profile" when run as root causes a segfault, whereas it doesn't when run as an ordinary user) and other crashes and freezes, and with the problems persisting even after updating to the latest rpm-4.2-1 from the rpm ftp site as suggested in other bug reports, I eventually tracked the problem down with the help of "electric fence" to a dangling pointer in rpmdb/rpmdb.c. In the function rpmdbNextIterator, in the block of code beginning at line 2279, the local pointer variable "set" stores a copy of mi->mi_db->db_bits. A few lines further down, "set" is dereferenced to mark the header as checked. However, in between, the call to mi->mi_hdrchk may recursively call rpmdbNextIterator when searching for imported gpg keys to validate the signature. In the process, the memory pointed to by "set" may be reallocated, and "set" becomes a dangling pointer. I have attached a patch which fixes this problem. It also fixes another more minor problem that will also cause a segfault if rpm is run under Electric Fence but would unlikely cause any problems otherwise. Version-Release number of selected component (if applicable): rpm-4.2-1 How reproducible: Always Steps to Reproduce: 1. Install Electric Fence and make sure a lot of RPM packages are installed. 2. Run "ef rpm -q /etc/profile". Actual Results: % ef rpm -q -f /etc/profile Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com> Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com> /usr/bin/ef: line 20: 8513 Segmentation fault ( export LD_PRELOAD=libefence.so.0.0; exec $* ) This always segfaults on our system. Without the "ef", it segfaults occasionally. (If the above procedure doesn't reproduce the problem on a different system, it may be necessary to substitute a different file for /etc/profile to see the segfault, and or set the environment variable EF_PROTECT_FREE=1.) Expected Results: When the attached patch is applied: % ef rpm -q -f /etc/profile Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com> Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com> setup-2.5.25-1
Created attachment 95431 [details] Patch to fix segfaults in rpm-4.2-1
I'm trying to confirm this on my rhl9 box, and I'm having trouble reproducing this at all. So its either very subtle or I'm just super lucky :->. 1. Install Electric Fence and make sure a lot of RPM packages are installed. I have 1300 or so rpms installed, does that count as a lot? I'd like to nominate this via tracker bug, if I can confirm it. If this is a subtle issue, maybe i can confirm it if i had access to your /var/lib/rpm tree and use rpm with the --dbpath switch to query your rpmdb local on my system. If you could tarball up your /var/lib/rpm directory and give me a place to grab it that might be a useful way for me to attempt to confirm your problem.
I have 1279 rpms installed so yes, 1300 should be sufficient. You may need to set EF_PROTECT_FREE=1 in the environment to guarantee that eff traps the error. You can access one of our /var/lib/rpm trees (with a few changes since I last had the problem -- for one thing, I've installed my patched version of rpm since then!) at http://www.fields.utoronto.ca/~pspencer/varlibrpm.tgz It shouldn't be necessary, though. The code clearly reveals that a copy of a pointer is held in a local variable across a call to functions that could potentially realloc the pointed-to memory. Whether any re-alloc'ing will actually occur, of course, depends on whether or not the originally alloc'd space is sufficient, which will presumably depend on the order of packages, etc., etc.
Yup, very nice catch, thank you for the patch. Yes, obvious by inspection, but very hard to explicitly reproduce. Apologies for the delay, needed to get rpm devel restarted first. Fixed in rpm-4.2.2-0.6 (when built) and later.
*** Bug 112489 has been marked as a duplicate of this bug. ***
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-098.html
*** Bug 108032 has been marked as a duplicate of this bug. ***