Bug 162037 - Crash when verifying a package that owns files in tmp dir
Crash when verifying a package that owns files in tmp dir
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
: 173885 176543 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-06-29 08:07 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-25 19:17:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Reproducer specfile (469 bytes, text/plain)
2005-06-29 08:07 EDT, Ville Skyttä
no flags Details
Console output of the crash (4.13 KB, text/plain)
2005-06-29 08:08 EDT, Ville Skyttä
no flags Details
gdb backtrace (1.07 KB, text/plain)
2005-06-29 08:09 EDT, Ville Skyttä
no flags Details

  None (edit)
Description Ville Skyttä 2005-06-29 08:07:16 EDT
When doing a "rpm -V" on an installed package that owns files in /tmp  
or /var/tmp, rpmv crashes.  This is rpm-4.4.1-21 on FC4. 
The crash also leaves rpmdb locked, and the usual rm /var/lib/rpm/__db* helps. 
This seems to be a pathological case, as it seems to happen only with /tmp  
and /var/tmp, but a crash is a crash...
Comment 1 Ville Skyttä 2005-06-29 08:07:17 EDT
Created attachment 116117 [details]
Reproducer specfile
Comment 2 Ville Skyttä 2005-06-29 08:08:33 EDT
Created attachment 116118 [details]
Console output of the crash
Comment 3 Ville Skyttä 2005-06-29 08:09:35 EDT
Created attachment 116120 [details]
gdb backtrace
Comment 4 Paul Nasrat 2005-06-29 08:24:15 EDT
Looks like the Fedora specific matchpathcon stuff, I'll investigate thanks.
Comment 5 Paul Nasrat 2005-06-29 08:27:57 EDT
Are you running with selinux, can you also do:

ls -lZ /tmp/crashme
Comment 6 Ville Skyttä 2005-06-29 09:09:42 EDT
Yep, selinux-policy-targeted-1.23.18-12 and enforcing. 
$ ls -lZ /tmp/crashme 
-rw-r--r--  root     root     root:object_r:tmp_t              /tmp/crashme 
Comment 7 Ville Skyttä 2005-06-29 09:14:33 EDT
I also see that I posted mismatching specfile (package "test4") and backtraces 
(from "rpm -V test"), that was the result of trying to minimize the case and 
losing track of the "generations" while at it.  Sorry about that.  Anyway, the 
attached specfile in comment 1 can still be used to reproduce the crash here. 
Comment 8 Paul Nasrat 2005-08-26 18:36:57 EDT
Thanks for reproducer and tracebacks, I have a patch that I'm testing will be in
rawhide 4.4.2-4.  This is in the fedora matchpathcon selinux impl not in
upstream rpm, basically unchecked path.

If you can test I'll try and get a fix to FC4.
Comment 9 Jeff Johnson 2005-08-27 00:23:53 EDT
Either there's still a segfault in strcmp, or con is never NULL:
diff -u rpm-4.4.2/lib/verify.c rpm-4.4.2/lib/verify.c
--- rpm-4.4.2/lib/verify.c      2005-07-21 16:47:11.000000000 -0400
+++ rpm-4.4.2/lib/verify.c      2005-08-26 12:23:35.000000000 -0400
@@ -138,8 +138,10 @@

            if (fcontext == NULL || strcmp(fcontext, con))
                *res |= RPMVERIFY_CONTEXTS;
-           freecon(con);
-            freecon(fcontext); 
+            if (con != NULL)
+               freecon(con);
+            if (fcontext != NULL)
+                freecon(fcontext); 

Comment 10 Jeff Johnson 2005-08-27 00:29:01 EDT
The rpm-4.4.2-matchpathcon.patch patch breaks --without-selinux gratuitously, and *still*
does not use dlopen().
Comment 11 Ville Skyttä 2005-09-01 14:05:16 EDT
Thanks for looking into this.  But I don't have a Rawhide box to test with, 
and FWIW, I don't think this is necessarily serious enough a problem to 
warrant an FC4 erratum. 
Comment 12 Paul Nasrat 2005-09-22 14:03:19 EDT
Ville tomorrows rawhide rpm should work better.
Comment 13 Jeff Johnson 2005-10-25 19:17:33 EDT
This problem is presumably fixed.
Comment 14 Paul Nasrat 2006-03-29 17:09:54 EST
*** Bug 176543 has been marked as a duplicate of this bug. ***
Comment 15 Paul Nasrat 2006-03-29 17:15:28 EST
*** Bug 173885 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.