Bug 1312574 - rsync crashes with "*** glibc detected *** rsync: free(): invalid pointer: 0x... ***"
rsync crashes with "*** glibc detected *** rsync: free(): invalid pointer: 0...
Status: NEW
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: rsync (Show other bugs)
6.7
Unspecified Unspecified
medium Severity high
: rc
: ---
Assigned To: Michal Ruprich
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-27 08:39 EST by Thomas Bruecker
Modified: 2017-10-09 05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
path mentioned above. (352 bytes, patch)
2016-02-27 08:39 EST, Thomas Bruecker
no flags Details | Diff

  None (edit)
Description Thomas Bruecker 2016-02-27 08:39:36 EST
Created attachment 1131086 [details]
path mentioned above.

Description of problem:

* executing rsync by:
  "
  rsync -abAcvHX                                                      \
    --backup-dir="/root/rpmbuild/BUILD/kernel-dm-devel/!pendent.del"  \
    -e "ssh  -o ServerAliveCountMax=1000  -o ServerAliveInterval=5"   \
    --numeric-ids  --stats                                            \
    "root@ceph-2.int.thomas-r-bruecker.ch:/root/rpmbuild/BUILD/kernel-dm-devel/!this/." \
    "/root/rpmbuild/BUILD/kernel-dm-devel/!rsync.test"                                        \
   "

Version-Release number of selected component (if applicable):
* "rsync-3.0.6-12.el6.i686" (actually) centos; but source-rpm corresponds
  (especially the file "xattrs.c" are identical in both source-rpms) to
  your sourc-rpm: "rsync-3.0.6-12.el6.src.rpm".

How reproducible:
* "-b" and "--backup-dir=<some directory>" are (I think) mandatory to reproduce
  the error.

Actual results:
* program output:
  "
   root@ceph-2.int.thomas-r-bruecker.ch's password: 
   receiving incremental file list                  
   *** glibc detected *** rsync: free(): invalid pointer: 0x09826fe4 ***
       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   "
* examination with "gdb":
  Program received signal SIGABRT, Aborted.
  0x00209424 in __kernel_vsyscall ()
  [...]
  * then "bt":
    "
    #0  0x00209424 in __kernel_vsyscall ()
    #1  0x00557871 in raise () from /lib/libc.so.6
    #2  0x0055914a in abort () from /lib/libc.so.6
    #3  0x00597735 in __libc_message () from /lib/libc.so.6
    #4  0x0059dc81 in malloc_printerr () from /lib/libc.so.6
    #5  0x005a05c2 in _int_free () from /lib/libc.so.6
    #6  0x0807dc34 in uncache_tmp_xattrs () at xattrs.c:787
    #7  0x0806b33e in keep_backup (fname=0xbf9b50ac ".git/FETCH_HEAD")
        at backup.c:369
    #8  make_backup (fname=0xbf9b50ac ".git/FETCH_HEAD") at backup.c:384
    #9  0x08053206 in finish_transfer (fname=0xbf9b50ac ".git/FETCH_HEAD", 
        fnametmp=0xbf9b30ac ".git/.FETCH_HEAD.G7tNo4", 
        fnamecmp=0xbf9b50ac ".git/FETCH_HEAD", partialptr=0x0, file=0xb747bb64, 
        ok_to_set_time=1, overwriting_basis=1) at rsync.c:570
    #10 0x0805ba59 in recv_files (f_in=5, local_name=0x0) at receiver.c:736
    #11 0x080654d7 in do_recv (f_in=5, f_out=4, local_name=0x0) at main.c:774
    #12 0x08065892 in client_run (f_in=5, f_out=4, pid=17661, argc=1, 
        argv=0x9e249ec) at main.c:1067
    #13 0x080668ac in start_client (argc=2, argv=0xbf9b8334) at main.c:1274
    #14 main (argc=2, argv=0xbf9b8334) at main.c:1501
    "
Expected results: should work without error.

Additional info:
* the following patch (also as an attachment) solves the problem:
  "
  diff --git a/xattrs.c b/xattrs.c
  index 3ddd49d..8bc9f8b 100644
  --- a/xattrs.c
  +++ b/xattrs.c
  @@ -784,7 +784,7 @@ void uncache_tmp_xattrs(void)
     		  rsync_xal_l.count = prior_xattr_count;
 		  while (xattr_item-- > xattr_start) {
 			  rsync_xal_free(xattr_item);
  -			  free(xattr_item);
  +			  free(xattr_item->items);
 		  }
 		  prior_xattr_count = (size_t)-1;
 	  }
  "
* reason (most probably and quick and dirty):
  libc: "malloc resp. realloc" sets "xattr_item->items" and not "xattr_item"
  through
    rsync_xal_store()
    --> EXPAND_ITEM_LIST()
      --> expand_item_list()
        --> _realloc_array()
          --> malloc resp. realloc sets "xattr_item->items"

Note You need to log in before you can comment on or make changes to this bug.