Red Hat Bugzilla – Bug 128999
rpmq segfault
Last modified: 2007-11-30 17:10:46 EST
Description of problem: rpmq is segfaulting. I believe that the rpm db is probably corrupted. Version-Release number of selected component (if applicable): rpm-4.3.1-0.3 How reproducible: Every time. Steps to Reproduce: 1. Run rpm -qa with --root pointing at the corrupt rpm database. 2. rpmq crashes in realloc on the second call to mpbsethex () from /usr/lib/libbeecrypt.so.6 Additional info: Unfortunately, the stack is corrupted after the crash. Here is the stack trace on the second call to mpbsethex: Breakpoint 2, 0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6 (gdb) bt #0 0x003904b0 in mpbsethex () from /usr/lib/libbeecrypt.so.6 #1 0x00297446 in pgpPrtPubkeyParams (pubkey_algo=17 '\021', p=0x952558b "", h=0x9525503 "\004?\235\235;\021\004", hlen=156391077) at rpmpgp.c:730 #2 0x00297936 in pgpPrtKey (tag=PGPTAG_PUBLIC_KEY, h=0x9525503 "\004?\235\235;\021\004", hlen=418) at rpmpgp.c:886 #3 0x00297d9d in pgpPrtPkt (pkt=0x9525500 "\231\001�\004?\235\235;\021\004", pleft=1038) at rpmpgp.c:980 #4 0x0029826c in pgpPrtPkts ( pkts=0x9525500 "\231\001�\004?\235\235;\021\004", pktlen=1038, dig=0x2b1920, printing=156337284) at rpmpgp.c:1128 #5 0x002f1390 in rpmtsFindPubkey (ts=0x9514690) at rpmts.c:411 #6 0x002f6a8d in verifyGPGSignature (ts=0x9514690, t=0xfefaff09 "", sha1ctx=0x950c650) at signature.c:1323 #7 0x002f6c96 in rpmVerifySignature (ts=0x9514690, result=0xfefafef0 "Header V3 DSA signature: ") at signature.c:1377 #8 0x002d20bb in headerCheck (ts=0x9514690, uh=0x9518484, uc=15724, msg=0xfefbff68) at package.c:623 #9 0x0048335f in rpmdbNextIterator (mi=0x9517208) at rpmdb.c:2209 #10 0x002d9bab in rpmcliShowMatches (qva=0x3139c0, ts=0x9514690) at query.c:370 #11 0x002da052 in rpmQueryVerify (qva=0x3139c0, ts=0x9514690, arg=0x0) at query.c:771 #12 0x002dadaa in rpmcliQuery (ts=0x9514690, qva=0x3139c0, argv=0x0) at query.c:825 #13 0x080497f8 in main (argc=3, argv=0xfefc1174) at rpmqv.c:794 #14 0x0014dad4 in __libc_start_main (main=0x8049450 <main>, argc=3, ubp_av=0xfefc1174, init=0x8049bec <__libc_csu_init>, fini=0x2520fc <environ>, rtld_fini=0x3, stack_end=0xfefc116c) at ../sysdeps/generic/libc-start.c:209 #15 0x080491e1 in _start () Then we hit __libc_realloc with what appears to be a bogus address and a corrupt stack: (gdb) b __libc_realloc Breakpoint 5 at 0x1991a7: file malloc.c, line 3392. (gdb) c Continuing. Breakpoint 5, __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392 3392 __malloc_ptr_t (*hook) __MALLOC_P ((__malloc_ptr_t, size_t, (gdb) bt #0 __libc_realloc (oldmem=0xbf04ce78, bytes=5) at malloc.c:3392 #1 0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6 #2 0xbf04ce78 in ?? () #3 0x0000002c in ?? () #4 0x00000400 in ?? () #5 0x00295f1e in pgpPrtNL () at rpmpgp.c:265 Previous frame inner to this frame (corrupt stack?) Continuing segfaults immediately: (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. __libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406 3406 oldsize = chunksize(oldp); (gdb) bt #0 __libc_realloc (oldmem=0xbf04ce78, bytes=44) at malloc.c:3406 #1 0x00390509 in mpbsethex () from /usr/lib/libbeecrypt.so.6 #2 0xbf04ce78 in ?? () #3 0x0000002c in ?? () #4 0x00000400 in ?? () #5 0x00295f1e in pgpPrtNL () at rpmpgp.c:265 Previous frame inner to this frame (corrupt stack?) A .tar.bz2 of the rpmdb is 2.7 Mbytes - if you want a copy, let me know where to send it.
Please attach a URI here -- rpmdb's are too big for bugzilla attachments.
See http://homepages.ihug.co.nz/~suckfish/boom/rpmdb.tar.bz2 Still segfaults with rpm-4.3.2-0.6 btw.
Reproduced. Trying to diagnose now ... Here's a workaround fix: cd /var/lib/rpm mv Pubkeys Pubkeys-XXX rpm --rebuilddb -vv Verify the fix by doing rpm -qavv rm /var/lib/rpm/Pubkeys-XXX Reopen this bug if you need help.