Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1184025

Summary: libxml2 segfaults in xmlCtxtReadFile() even with simplest XML
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kletzander <mkletzan>
Component: zlibAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 6.7CC: doubleb, dshea, eblake, mcermak, nikolai.kondrashov, ohudlick, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-26 08:14:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 987194    

Description Martin Kletzander 2015-01-20 13:18:04 UTC 
Description of problem:
When trying to parse an XML, there's some invalid address being used in strncpm().

Version-Release number of selected component (if applicable):
both following packages have the same problem:
 libxml2-2.7.6-14.el6.x86_64
 libxml2-2.7.6-17.el6_6.1.x86_64
*But* this happens after an upgrade to latest packages and libxml2 was not part of the upgrade!  But I'm assigning this to libxml2 as I don't know where else to track it (see the backtrace below).

How reproducible:
100%

 Steps to Reproduce:
1.

$ cat >test.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <libxml/parser.h>

int
main(int argc, char **argv)
{
    int ret = EXIT_FAILURE;
    xmlDocPtr doc = NULL;
    xmlParserCtxtPtr ctx = xmlNewParserCtxt();

    if (!ctx || !ctx->sax)
        goto cleanup;

    if(argc != 2)
        goto cleanup;

    doc = xmlCtxtReadFile(ctx, argv[1], NULL,
                          XML_PARSE_NONET | XML_PARSE_NOWARNING);

    if (!doc)
        goto cleanup;

    ret = EXIT_SUCCESS;
 cleanup:
    if (doc)
        xmlFreeDoc(doc);
    if (ctx)
        xmlFreeParserCtxt(ctx);
    return ret;
}
EOF

2.
$ cat >dummy.xml <<EOF
<dummy/>
EOF

3.
$ gcc -pedantic -pedantic-errors -Wall -Werror $(pkg-config --libs --cflags libxml-2.0) test.c -ggdb -o test

4.
$ ./test dummy.xml

Actual results:
Segmentation fault (core dumped)

Expected results:
Doesn't crash and returns 0 (as it does on RHEL7 for example).

Additional info:
This is an isolation of a problem that libvirt daemon cannot start.  It fails when qemu driver tries to parse a default network's XML.

Here's a full bt:

$ gdb --args ./test dummy.xml
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test...done.
(gdb) r
Starting program: /root/test dummy.xml

Program received signal SIGSEGV, Segmentation fault.
__strncmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:214
214		movlpd	(%rsi), %xmm2
(gdb) bt full
#0  __strncmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:214
No locals.
#1  0x000000343545e885 in __xmlParserInputBufferCreateFilename (URI=<value optimized out>, 
    enc=XML_CHAR_ENCODING_NONE) at xmlIO.c:2525
        cptr = 0x700001c4f <Address 0x700001c4f out of bounds>
        buff4 = "<dum"
        ret = 0x602700
        i = <value optimized out>
        context = 0x6025f0
#2  0x000000343543380d in xmlNewInputFromFile__internal_alias (ctxt=0x601010, filename=0x7fffffffe8a7 "dummy.xml")
    at parserInternals.c:1549
        buf = <value optimized out>
        inputStream = <value optimized out>
        directory = 0x0
        URI = 0x0
#3  0x000000343544bebb in xmlCtxtReadFile__internal_alias (ctxt=0x601010, filename=0x7fffffffe8a7 "dummy.xml", 
    encoding=0x0, options=<value optimized out>) at parser.c:15220
        stream = <value optimized out>
#4  0x0000000000400769 in main (argc=2, argv=0x7fffffffe648) at test.c:18
        ret = 1
        doc = 0x0
        ctx = 0x601010
Comment 1 Daniel Veillard 2015-01-21 11:34:16 UTC 
Weird I cannot reproduce this here, and I think with such a bug no regtests
would have ever passed, I wonder what is going on, maybe the old zlib / libxml2
bug

server:~ -> gcc -pedantic -pedantic-errors -Wall -Werror $(pkg-config --libs --cflags libxml-2.0) test.c -ggdb -o test
server:~ -> ./test dummy.xml
server:~ -> rpm -q libxml2
libxml2-2.7.6-17.el6_6.1.x86_64
server:~ -> ldd ./test
	linux-vdso.so.1 =>  (0x00007fffe8deb000)
	libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00000033d0e00000)
	libc.so.6 => /lib64/libc.so.6 (0x00000033c6600000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00000033c7200000)
	libz.so.1 => /lib64/libz.so.1 (0x00000033c7a00000)
	libm.so.6 => /lib64/libm.so.6 (0x00000033c6a00000)
	/lib64/ld-linux-x86-64.so.2 (0x00000033c6200000)
server:~ -> rpm -qf /lib64/libz.so.1
zlib-1.2.3-29.el6.x86_64
server:~ -> 

Daniel
Comment 2 Martin Kletzander 2015-01-21 11:40:10 UTC 
The problem exists with zlib-1.2.5-2.el6.x86_64 and downgrading to zlib-1.2.3-29.el6.x86_64 fixes the problem.  Moving to zlib.
Comment 3 Ondrej Vasik 2015-01-21 18:58:40 UTC 
*** Bug 1183217 has been marked as a duplicate of this bug. ***
Comment 6 Jan Chaloupka 2015-01-21 21:27:48 UTC 
After some inspection, this is libxml2 bug. Patch is at [1]. The crash is reproducible from zlib-1.2.4. Due to rebase from zlib-1.2.3 to zlib-1.2.5.

libxml2 is not on ACL for rhel-6.7. If this issue will not get fixed, I cannot rebase zlib, which has already all acks on. 

[1] http://osdir.com/ml/svn-commits-list/2010-01/msg05723.html
Comment 7 Daniel Veillard 2015-01-22 02:58:23 UTC 
it's a tie between libxml2 and zlib, they cannot be updated independently.

If you apply the pacth and don't update zlib it breaks, if you don't apply
the patch you can't update zlib.

I don't know how Martin ended up with a zlib-1.2.5 but we absolutely must not
update zlib in RHEL-6 to a newer version or all libxml2 apps will break.
Issue known for a long time.

Martin how did you end up with zlib-1.2.5 on a RHEL-6 machine, this MUST not
happen.

Daniel
Comment 8 Daniel Veillard 2015-01-22 03:19:00 UTC 
*** Bug 1184243 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Veillard 2015-01-26 02:34:28 UTC 
*** Bug 1185089 has been marked as a duplicate of this bug. ***
Comment 13 Jan Chaloupka 2015-01-26 14:25:46 UTC 
*** Bug 1183215 has been marked as a duplicate of this bug. ***
Comment 14 Ján Tomko 2015-03-18 08:29:58 UTC 
*** Bug 921493 has been marked as a duplicate of this bug. ***
Comment 16 Martin Kletzander 2015-03-26 08:14:39 UTC 
I see the zlib package version is kept at 1.2.3 and everything works now.  Closing as NOTABUG as this was a pre-release issue.