Bug 128999 - rpmq segfault
rpmq segfault
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-02 16:46 EDT by Ralph Loader
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-04 08:40:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralph Loader 2004-08-02 16:46:40 EDT
Description of problem:

rpmq is segfaulting.  I believe that the rpm db is probably corrupted.

Version-Release number of selected component (if applicable):

rpm-4.3.1-0.3

How reproducible:

Every time.


Steps to Reproduce:
1.  Run rpm -qa with --root pointing at the corrupt rpm database.
2.  rpmq crashes in realloc on the second call to mpbsethex () from
/usr/lib/libbeecrypt.so.6
  
Additional info:

Unfortunately, the stack is corrupted after the crash.

Here is the stack trace on the second call to mpbsethex:

Breakpoint 2, 0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6
(gdb) bt
#0  0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#1  0x00297446 in pgpPrtPubkeyParams (pubkey_algo=17 '\021',
p=0x952558b "",
    h=0x9525503 "\004?\235\235;\021\004", hlen=156391077) at rpmpgp.c:730
#2  0x00297936 in pgpPrtKey (tag=PGPTAG_PUBLIC_KEY,
    h=0x9525503 "\004?\235\235;\021\004", hlen=418) at rpmpgp.c:886
#3  0x00297d9d in pgpPrtPkt (pkt=0x9525500
"\231\001�\004?\235\235;\021\004",
    pleft=1038) at rpmpgp.c:980
#4  0x0029826c in pgpPrtPkts (
    pkts=0x9525500 "\231\001�\004?\235\235;\021\004", pktlen=1038,
    dig=0x2b1920, printing=156337284) at rpmpgp.c:1128
#5  0x002f1390 in rpmtsFindPubkey (ts=0x9514690) at rpmts.c:411
#6  0x002f6a8d in verifyGPGSignature (ts=0x9514690, t=0xfefaff09 "",
    sha1ctx=0x950c650) at signature.c:1323
#7  0x002f6c96 in rpmVerifySignature (ts=0x9514690,
    result=0xfefafef0 "Header V3 DSA signature: ") at signature.c:1377
#8  0x002d20bb in headerCheck (ts=0x9514690, uh=0x9518484, uc=15724,
    msg=0xfefbff68) at package.c:623
#9  0x0048335f in rpmdbNextIterator (mi=0x9517208) at rpmdb.c:2209
#10 0x002d9bab in rpmcliShowMatches (qva=0x3139c0, ts=0x9514690) at
query.c:370
#11 0x002da052 in rpmQueryVerify (qva=0x3139c0, ts=0x9514690, arg=0x0)
    at query.c:771
#12 0x002dadaa in rpmcliQuery (ts=0x9514690, qva=0x3139c0, argv=0x0)
    at query.c:825
#13 0x080497f8 in main (argc=3, argv=0xfefc1174) at rpmqv.c:794
#14 0x0014dad4 in __libc_start_main (main=0x8049450 <main>, argc=3,
    ubp_av=0xfefc1174, init=0x8049bec <__libc_csu_init>,
    fini=0x2520fc <environ>, rtld_fini=0x3, stack_end=0xfefc116c)
    at ../sysdeps/generic/libc-start.c:209
#15 0x080491e1 in _start ()

Then we hit __libc_realloc with what appears to be a bogus address and
a corrupt stack:

(gdb) b __libc_realloc
Breakpoint 5 at 0x1991a7: file malloc.c, line 3392.
(gdb) c
Continuing.

Breakpoint 5, __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392
3392      __malloc_ptr_t (*hook) __MALLOC_P ((__malloc_ptr_t, size_t,
(gdb) bt
#0  __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392
#1  0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#2  0xbf04ce78 in ?? ()
#3  0x0000002c in ?? ()
#4  0x00000400 in ?? ()
#5  0x00295f1e in pgpPrtNL () at rpmpgp.c:265
Previous frame inner to this frame (corrupt stack?)

Continuing segfaults immediately:

(gdb) c
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
__libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406
3406      oldsize = chunksize(oldp);
(gdb) bt
#0  __libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406
#1  0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6
#2  0xbf04ce78 in ?? ()
#3  0x0000002c in ?? ()
#4  0x00000400 in ?? ()
#5  0x00295f1e in pgpPrtNL () at rpmpgp.c:265
Previous frame inner to this frame (corrupt stack?)

A .tar.bz2 of the rpmdb is 2.7 Mbytes - if you want a copy, let me
know where to send it.
Comment 1 Jeff Johnson 2004-08-02 21:34:20 EDT
Please attach a URI here -- rpmdb's are too big
for bugzilla attachments.
Comment 2 Ralph Loader 2004-08-04 02:14:04 EDT
See

http://homepages.ihug.co.nz/~suckfish/boom/rpmdb.tar.bz2

Still segfaults with rpm-4.3.2-0.6 btw.
Comment 3 Jeff Johnson 2004-08-04 08:40:35 EDT
Reproduced. Trying to diagnose now ...

Here's a workaround fix:
    cd /var/lib/rpm
    mv Pubkeys Pubkeys-XXX
    rpm --rebuilddb -vv

Verify the fix by doing
    rpm -qavv
    rm /var/lib/rpm/Pubkeys-XXX

Reopen this bug if you need help.

Note You need to log in before you can comment on or make changes to this bug.