Bug 162037 - Crash when verifying a package that owns files in tmp dir
Summary: Crash when verifying a package that owns files in tmp dir
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
URL:
Whiteboard:
: 173885 176543 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-29 12:07 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-25 23:17:33 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Reproducer specfile (469 bytes, text/plain)
2005-06-29 12:07 UTC, Ville Skyttä 		no flags Details
Console output of the crash (4.13 KB, text/plain)
2005-06-29 12:08 UTC, Ville Skyttä 		no flags Details
gdb backtrace (1.07 KB, text/plain)
2005-06-29 12:09 UTC, Ville Skyttä 		no flags Details
View All

Description Ville Skyttä 2005-06-29 12:07:16 UTC 
When doing a "rpm -V" on an installed package that owns files in /tmp  
or /var/tmp, rpmv crashes.  This is rpm-4.4.1-21 on FC4. 
  
The crash also leaves rpmdb locked, and the usual rm /var/lib/rpm/__db* helps. 
  
This seems to be a pathological case, as it seems to happen only with /tmp  
and /var/tmp, but a crash is a crash...
Comment 1 Ville Skyttä 2005-06-29 12:07:17 UTC 
Created attachment 116117 [details]
Reproducer specfile
Comment 2 Ville Skyttä 2005-06-29 12:08:33 UTC 
Created attachment 116118 [details]
Console output of the crash
Comment 3 Ville Skyttä 2005-06-29 12:09:35 UTC 
Created attachment 116120 [details]
gdb backtrace
Comment 4 Paul Nasrat 2005-06-29 12:24:15 UTC 
Looks like the Fedora specific matchpathcon stuff, I'll investigate thanks.
Comment 5 Paul Nasrat 2005-06-29 12:27:57 UTC 
Are you running with selinux, can you also do:

ls -lZ /tmp/crashme
Comment 6 Ville Skyttä 2005-06-29 13:09:42 UTC 
Yep, selinux-policy-targeted-1.23.18-12 and enforcing. 
 
$ ls -lZ /tmp/crashme 
-rw-r--r--  root     root     root:object_r:tmp_t              /tmp/crashme
Comment 7 Ville Skyttä 2005-06-29 13:14:33 UTC 
I also see that I posted mismatching specfile (package "test4") and backtraces 
(from "rpm -V test"), that was the result of trying to minimize the case and 
losing track of the "generations" while at it.  Sorry about that.  Anyway, the 
attached specfile in comment 1 can still be used to reproduce the crash here.
Comment 8 Paul Nasrat 2005-08-26 22:36:57 UTC 
Thanks for reproducer and tracebacks, I have a patch that I'm testing will be in
rawhide 4.4.2-4.  This is in the fedora matchpathcon selinux impl not in
upstream rpm, basically unchecked path.

If you can test I'll try and get a fix to FC4.
Comment 9 Jeff Johnson 2005-08-27 04:23:53 UTC 
Either there's still a segfault in strcmp, or con is never NULL:
diff -u rpm-4.4.2/lib/verify.c rpm-4.4.2/lib/verify.c
--- rpm-4.4.2/lib/verify.c      2005-07-21 16:47:11.000000000 -0400
+++ rpm-4.4.2/lib/verify.c      2005-08-26 12:23:35.000000000 -0400
@@ -138,8 +138,10 @@

            if (fcontext == NULL || strcmp(fcontext, con))
                *res |= RPMVERIFY_CONTEXTS;
-           freecon(con);
-            freecon(fcontext); 
+            if (con != NULL)
+               freecon(con);
+            if (fcontext != NULL)
+                freecon(fcontext); 

        }
     }
Comment 10 Jeff Johnson 2005-08-27 04:29:01 UTC 
The rpm-4.4.2-matchpathcon.patch patch breaks --without-selinux gratuitously, and *still*
does not use dlopen().
Comment 11 Ville Skyttä 2005-09-01 18:05:16 UTC 
Thanks for looking into this.  But I don't have a Rawhide box to test with, 
and FWIW, I don't think this is necessarily serious enough a problem to 
warrant an FC4 erratum.
Comment 12 Paul Nasrat 2005-09-22 18:03:19 UTC 
Ville tomorrows rawhide rpm should work better.
Comment 13 Jeff Johnson 2005-10-25 23:17:33 UTC 
This problem is presumably fixed.
Comment 14 Paul Nasrat 2006-03-29 22:09:54 UTC 
*** Bug 176543 has been marked as a duplicate of this bug. ***
Comment 15 Paul Nasrat 2006-03-29 22:15:28 UTC 
*** Bug 173885 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.