Bug 162037 - Crash when verifying a package that owns files in tmp dir
Summary: Crash when verifying a package that owns files in tmp dir
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
(Show other bugs)
Version: 4
Hardware: All Linux
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
: 173885 176543 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-29 12:07 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-25 23:17:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Reproducer specfile (469 bytes, text/plain)
2005-06-29 12:07 UTC, Ville Skyttä
no flags Details
Console output of the crash (4.13 KB, text/plain)
2005-06-29 12:08 UTC, Ville Skyttä
no flags Details
gdb backtrace (1.07 KB, text/plain)
2005-06-29 12:09 UTC, Ville Skyttä
no flags Details

Description Ville Skyttä 2005-06-29 12:07:16 UTC
When doing a "rpm -V" on an installed package that owns files in /tmp  
or /var/tmp, rpmv crashes.  This is rpm-4.4.1-21 on FC4. 
The crash also leaves rpmdb locked, and the usual rm /var/lib/rpm/__db* helps. 
This seems to be a pathological case, as it seems to happen only with /tmp  
and /var/tmp, but a crash is a crash...

Comment 1 Ville Skyttä 2005-06-29 12:07:17 UTC
Created attachment 116117 [details]
Reproducer specfile

Comment 2 Ville Skyttä 2005-06-29 12:08:33 UTC
Created attachment 116118 [details]
Console output of the crash

Comment 3 Ville Skyttä 2005-06-29 12:09:35 UTC
Created attachment 116120 [details]
gdb backtrace

Comment 4 Paul Nasrat 2005-06-29 12:24:15 UTC
Looks like the Fedora specific matchpathcon stuff, I'll investigate thanks.

Comment 5 Paul Nasrat 2005-06-29 12:27:57 UTC
Are you running with selinux, can you also do:

ls -lZ /tmp/crashme

Comment 6 Ville Skyttä 2005-06-29 13:09:42 UTC
Yep, selinux-policy-targeted-1.23.18-12 and enforcing. 
$ ls -lZ /tmp/crashme 
-rw-r--r--  root     root     root:object_r:tmp_t              /tmp/crashme 

Comment 7 Ville Skyttä 2005-06-29 13:14:33 UTC
I also see that I posted mismatching specfile (package "test4") and backtraces 
(from "rpm -V test"), that was the result of trying to minimize the case and 
losing track of the "generations" while at it.  Sorry about that.  Anyway, the 
attached specfile in comment 1 can still be used to reproduce the crash here. 

Comment 8 Paul Nasrat 2005-08-26 22:36:57 UTC
Thanks for reproducer and tracebacks, I have a patch that I'm testing will be in
rawhide 4.4.2-4.  This is in the fedora matchpathcon selinux impl not in
upstream rpm, basically unchecked path.

If you can test I'll try and get a fix to FC4.

Comment 9 Jeff Johnson 2005-08-27 04:23:53 UTC
Either there's still a segfault in strcmp, or con is never NULL:
diff -u rpm-4.4.2/lib/verify.c rpm-4.4.2/lib/verify.c
--- rpm-4.4.2/lib/verify.c      2005-07-21 16:47:11.000000000 -0400
+++ rpm-4.4.2/lib/verify.c      2005-08-26 12:23:35.000000000 -0400
@@ -138,8 +138,10 @@

            if (fcontext == NULL || strcmp(fcontext, con))
                *res |= RPMVERIFY_CONTEXTS;
-           freecon(con);
-            freecon(fcontext); 
+            if (con != NULL)
+               freecon(con);
+            if (fcontext != NULL)
+                freecon(fcontext); 


Comment 10 Jeff Johnson 2005-08-27 04:29:01 UTC
The rpm-4.4.2-matchpathcon.patch patch breaks --without-selinux gratuitously, and *still*
does not use dlopen().

Comment 11 Ville Skyttä 2005-09-01 18:05:16 UTC
Thanks for looking into this.  But I don't have a Rawhide box to test with, 
and FWIW, I don't think this is necessarily serious enough a problem to 
warrant an FC4 erratum. 

Comment 12 Paul Nasrat 2005-09-22 18:03:19 UTC
Ville tomorrows rawhide rpm should work better.

Comment 13 Jeff Johnson 2005-10-25 23:17:33 UTC
This problem is presumably fixed.

Comment 14 Paul Nasrat 2006-03-29 22:09:54 UTC
*** Bug 176543 has been marked as a duplicate of this bug. ***

Comment 15 Paul Nasrat 2006-03-29 22:15:28 UTC
*** Bug 173885 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.