Bug 1551400 - dnf segfaults with a query of the form "dnf provides '*/x y*'"
Summary: dnf segfaults with a query of the form "dnf provides '*/x y*'"
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: libdnf
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: rpm-software-management
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-05 04:30 UTC by Samuel Sieb
Modified: 2018-03-06 11:48 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-06 11:48:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Samuel Sieb 2018-03-05 04:30:18 UTC 
When running a dnf query of the form "dnf provides '*/x y*'" (you can just use that literally), there is always a segfault in glibc.  It is not always the same, but most times it was in the malloc call.  The tcache->entries table contains an invalid address, a very large address.  For example, the first few entries are:
{0x0, 0x6e69622f7273752f, 0x559ab56a2bc0, 0x559ab5599e80, 0x559ab5700670
The second one is the problem.
Comment 1 Florian Weimer 2018-03-05 07:59:40 UTC 
Looks like a use-after-free in libsolv:

==29328== Invalid read of size 1
==29328==    at 0x4C32BC2: __strlen_sse2 (vg_replace_strmem.c:460)
==29328==    by 0x5DAD8CD: strdup (strdup.c:41)
==29328==    by 0x1844BC82: solv_strdup (in /usr/lib64/libsolv.so.0)
==29328==    by 0x18443773: datamatcher_init (in /usr/lib64/libsolv.so.0)
==29328==    by 0x184445CB: dataiterator_init (in /usr/lib64/libsolv.so.0)
==29328==    by 0x17F8B573: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==  Address 0x10fcda50 is 0 bytes inside a block of size 32 free'd
==29328==    at 0x4C30D18: free (vg_replace_malloc.c:530)
==29328==    by 0x11EE046D: g_free (in /usr/lib64/libglib-2.0.so.0.5400.3)
==29328==    by 0x17F8B3E7: parse_reldep_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B556: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A80D: _PyObject_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F64950: _PyObject_Call_Prepend (in /usr/lib64/libpython3.6m.so.1.0)
==29328==  Block was alloc'd at
==29328==    at 0x4C2FB6B: malloc (vg_replace_malloc.c:299)
==29328==    by 0x11EE0358: g_malloc (in /usr/lib64/libglib-2.0.so.0.5400.3)
==29328==    by 0x17F8B1E8: copy_str_from_subexpr (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B2A9: parse_reldep_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17F8B556: reldeplist_from_str (in /usr/lib64/libdnf.so.1)
==29328==    by 0x17D62306: pyseq_to_reldeplist (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x17D63FE9: ??? (in /usr/lib64/python3.6/site-packages/hawkey/_hawkey.so)
==29328==    by 0x4FBDB5E: PyCFunction_Call (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x5002E36: _PyEval_EvalFrameDefault (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F59784: ??? (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A4BC: _PyFunction_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
==29328==    by 0x4F5A80D: _PyObject_FastCallDict (in /usr/lib64/libpython3.6m.so.1.0)
Comment 2 Igor Gnatenko 2018-03-05 09:12:16 UTC 
huh? no, libdnf.

(gdb) n
766	    dataiterator_init(&di, pool, 0, 0, 0, name_glob, SEARCH_STRING | SEARCH_GLOB);
(gdb) p name_glob
$2 = 0x0

asking to search for NULL is really wrong ;)
Comment 3 Igor Gnatenko 2018-03-05 09:15:20 UTC 
Actually, libsolv returns correct thing (nothing), but then python-hawkey tried to fill some random stuff to sequence and then tries to free that... That's not going to work. Nothing to do for libsolv.
Comment 4 Jaroslav Mracek 2018-03-06 07:30:17 UTC 
Please can you provide exact version od libdnf, libsolv, and dnf?

Thanks a lot
Comment 5 Samuel Sieb 2018-03-06 07:31:37 UTC 
libdnf-0.11.1-1.fc27.x86_64
libsolv-0.6.31-1.fc27.x86_64
dnf-2.7.5-2.fc27.noarch
Comment 6 Jaroslav Mracek 2018-03-06 11:48:12 UTC 
Thanks for information. I was able to reproduce your problem with your versions, but the problem vanished with upstream versions.

libdnf-0.13.0-0.295g97c23df.fc26.x86_64
libsolv-0.6.31-1.fc26.x86_64
dnf-2.8.6-0.114ge83d408b.fc26.noarch


The upstream is available from copr repo (dnf copr enable rpmsoftwaremanagement/dnf-nightly).
Note You need to log in before you can comment on or make changes to this bug.