1487631 – lftp crash when mirroring a repository

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1487631 - lftp crash when mirroring a repository

Summary: lftp crash when mirroring a repository

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	lftp
Sub Component:
Version:	6.9
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:	OtherQA
Depends On:
Blocks:	1461138 1494484 1494505
TreeView+	depends on / blocked

Reported:	2017-09-01 12:40 UTC by Paulo Andrade
Modified:	2021-09-09 12:34 UTC (History)
CC List:	5 users (show)
Fixed In Version:	lftp-4.0.9-15.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-19 05:14:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
lftp.patch (16.21 KB, patch) 2017-09-01 12:40 UTC, Paulo Andrade	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1882	0	None	None	None	2018-06-19 05:15:01 UTC

Description Paulo Andrade 2017-09-01 12:40:25 UTC

Created attachment 1320914 [details]
lftp.patch

Crash would happen every time when running the reproducer command:

/usr/bin/lftp -c 'mirror -c -P -v -v -e -I *.rpm -X "/headers/" -X "/repodata/" -X "*.src.rpm" -X "/SRPMS/" -X "*-debuginfo-*.rpm" -X "/debug/" https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/rhscl/1/os/Packages /tmp/mrepo'

After making some tests, issue was fixed with the attached patch.

The patch is a backport of:
https://github.com/lavv17/lftp/commit/f7f78542f96700761ef498b9dc9787c6a6ad479a

that incorporates:
https://github.com/lavv17/lftp/commit/c8d099c69a63b92f271aa84e2bfd5d3b6f3956c5

and to compile with ssl disabled:
https://github.com/lavv17/lftp/commit/d3a83939bbb7c729247eb7013e4a79d64225197f

The only extra chunk added was adding:

+        if(!conn)
+            return 0;

to Http.h:Http::IsConnected()


  The problem, in my understanding was the way "Clone" worked, and the copy
constructor invoked in this backtrace:

Core was generated by `/usr/bin/lftp -c mirror -c -P -v -v -e -I *.rpm -X "/headers/" -X "/repodata/" -'.
Program terminated with signal 5, Trace/breakpoint trap.
#0  Http::Http (this=0xdd5f20, f=<value optimized out>) at Http.cc:116
116	Http::Http(const Http *f) : super(f)
Missing separate debuginfos, use: debuginfo-install gnutls-2.8.5-19.el6_7.x86_64 libtasn1-2.3-6.el6_5.x86_64 readline-6.0-4.el6.x86_64
(gdb) bt
#0  Http::Http (this=0xdd5f20, f=<value optimized out>) at Http.cc:116
#1  0x00007ffff1d1e4f9 in Https::Https (this=0xdd5f20, o=<value optimized out>) at Http.cc:2147
#2  0x00007ffff1d21cd9 in Https::Clone (this=0x628fc0) at Http.h:204
#3  0x00007ffff1f33815 in MirrorJob::HandleFile (this=0x629eb0, file=0xc0ee30) at MirrorJob.cc:300
#4  0x00007ffff1f366f8 in MirrorJob::Do (this=0x629eb0) at MirrorJob.cc:834
#5  0x0000003d66e29074 in SMTask::Schedule () at SMTask.cc:238
#6  0x0000003d6721a4cd in Job::WaitDone (this=0x614d00) at Job.cc:494
#7  0x0000000000405af5 in main (argc=<value optimized out>, argv=<value optimized out>) at lftp.cc:479
(gdb) p this.ssl
$1 = {ptr = 0x0, static null = <optimized out>}

the backtrace was generated from gdb (and using lftp-4.0.9-14.el6.x86_64) when
watching this address:
(gdb) p &this.ssl.ptr
$2 = (lftp_ssl_gnutls **) 0xdd62d0

and just when it did become null:

(gdb) disassemble 
Dump of assembler code for function Http::Http(Http const*):
   0x00007ffff1d1e3f0 <+0>:	push   %rbx
   0x00007ffff1d1e3f1 <+1>:	mov    %rdi,%rbx
   0x00007ffff1d1e3f4 <+4>:	callq  0x7ffff1d1ae20 <_ZN9NetAccessC2EPKS_@plt>
   0x00007ffff1d1e3f9 <+9>:	mov    0x20a220(%rip),%rax        # 0x7ffff1f28620
   0x00007ffff1d1e400 <+16>:	mov    %rbx,%rdi
   0x00007ffff1d1e403 <+19>:	movq   $0x0,0x370(%rbx)
   0x00007ffff1d1e40e <+30>:	movq   $0x0,0x378(%rbx)
   0x00007ffff1d1e419 <+41>:	movq   $0x0,0x390(%rbx)
   0x00007ffff1d1e424 <+52>:	movq   $0x0,0x3a0(%rbx)
   0x00007ffff1d1e42f <+63>:	movq   $0x0,0x398(%rbx)
   0x00007ffff1d1e43a <+74>:	lea    0x10(%rax),%rdx
   0x00007ffff1d1e43e <+78>:	add    $0x170,%rax
   0x00007ffff1d1e444 <+84>:	movq   $0x0,0x3b0(%rbx)
=> 0x00007ffff1d1e44f <+95>:	mov    %rax,0x20(%rbx)
   0x00007ffff1d1e453 <+99>:	movq   $0x0,0x3b8(%rbx)
   0x00007ffff1d1e45e <+110>:	mov    %rdx,(%rbx)
   0x00007ffff1d1e461 <+113>:	movq   $0x0,0x3c8(%rbx)
   0x00007ffff1d1e46c <+124>:	movq   $0x0,0x3c0(%rbx)
   0x00007ffff1d1e477 <+135>:	movq   $0x0,0x3d8(%rbx)
   0x00007ffff1d1e482 <+146>:	movq   $0x0,0x3e8(%rbx)
   0x00007ffff1d1e48d <+157>:	movq   $0x0,0x3e0(%rbx)
   0x00007ffff1d1e498 <+168>:	callq  0x7ffff1d1b230 <_ZN4Http4InitEv@plt>
   0x00007ffff1d1e49d <+173>:	mov    %rbx,%rdi
   0x00007ffff1d1e4a0 <+176>:	xor    %esi,%esi
   0x00007ffff1d1e4a2 <+178>:	pop    %rbx
   0x00007ffff1d1e4a3 <+179>:	jmpq   0x7ffff1d1aeb0 <_ZN4Http8ReconfigEPKc@plt>
End of assembler dump.

(gdb) p/x $rbx+0x3b0
$3 = 0xdd62d0

this should happen at the end of the "super(f)" code, and
when using the Http::Connection subclass, the problem could
not be reproduced.

Comment 10 errata-xmlrpc 2018-06-19 05:14:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1882

Note You need to log in before you can comment on or make changes to this bug.