From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: rpm verify is crashing with a free invalid pointer on a particular package. It could crash on other packages; nfs-utils is the first when doing '-Va'. It Run 'rpm -V nfs-utils'. It dies with the following message: ......... /var/lib/nfs ..?...... c /var/lib/nfs/etab ..?...... c /var/lib/nfs/rmtab *** glibc detected *** /usr/lib/rpm/rpmv: free(): invalid pointer: 0x0000000000afc0b4 *** ======= Backtrace: ========= /lib64/libc.so.6[0x30b356a94e] /lib64/libc.so.6(__libc_free+0x6e)[0x30b356ae7e] /usr/lib64/librpm-4.4.so(rpmVerifyFile+0x51e)[0x3bf3949478] /usr/lib64/librpm-4.4.so(showVerifyPackage+0x24a)[0x3bf39498c9] /usr/lib64/librpm-4.4.so(rpmcliShowMatches+0x26)[0x3bf3927ffd] /usr/lib64/librpm-4.4.so(rpmQueryVerify+0x1fd)[0x3bf3928c3f] /usr/lib64/librpm-4.4.so(rpmcliArgIter+0x80)[0x3bf39293ec] /usr/lib64/librpm-4.4.so(rpmcliVerify+0x8d)[0x3bf3948ecd] /usr/lib/rpm/rpmv[0x40214f] /lib64/libc.so.6(__libc_start_main+0xdc)[0x30b351c4cc] /usr/lib/rpm/rpmv[0x4019a9] ======= Memory map: ======== <memory map snipped> Version-Release number of selected component (if applicable): rpm-4.4.1-22.x86_64 How reproducible: Always Steps to Reproduce: 1. rpm -V nfs-utils 2. Crash Additional info:
It still crashes after the nfs-utils update. And removing and reinstalling nfs-utils does not fix it. After removing nfs-utils, it crashes Here is a stack trace: (gdb) bt #0 0x00000030b352f3b0 in *__GI_raise (sig=Variable "sig" is not available. ) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67 #1 0x00000030b3530860 in *__GI_abort () at ../sysdeps/generic/abort.c:88 #2 0x00000030b3564caf in __libc_message (do_abort=Variable "do_abort" is not available. ) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x00000030b356a94e in _int_free (av=0x30b3733680, mem=Variable "mem" is not available. ) at malloc.c:5578 #4 0x00000030b356ae7e in *__GI___libc_free (mem=Variable "mem" is not available. ) at malloc.c:3419 #5 0x0000003bf3949478 in rpmVerifyFile (ts=Variable "ts" is not available. ) at verify.c:142 #6 0x0000003bf39498c9 in showVerifyPackage (qva=0x3bf3a8eb60, ts=0x52c510, h=0xaee880) at verify.c:316 #7 0x0000003bf3927ffd in rpmcliShowMatches (qva=0x3bf3a8eb60, ts=0x52c510) at query.c:394 #8 0x0000003bf3928c3f in rpmQueryVerify (qva=0x3bf3a8eb60, ts=0x52c510, arg=0xade4e0 "nfs-utils") at query.c:672 #9 0x0000003bf39293ec in rpmcliArgIter (ts=0x52c510, qva=0x3bf3a8eb60, argv=Variable "argv" is not available. ) at query.c:754 #10 0x0000003bf3948ecd in rpmcliVerify (ts=0x52c510, qva=0x3bf3a8eb60, argv=0x506320) at verify.c:534 #11 0x000000000040214f in main (argc=4, argv=Variable "argv" is not available. ) at ./rpmqv.c:813 #12 0x00000030b351c4cc in __libc_start_main (main=0x401a90 <main>, argc=4, ubp_av=0x7ffffff92578, init=0x402260 <__libc_csu_init>, fini=Variable "fini" is not available. ) at ../sysdeps/generic/libc-start.c:228 #13 0x00000000004019a9 in _start () #14 0x00007ffffff92568 in ?? () #15 0x0000000000000000 in ?? ()
Oops. Forgot to complete the message. What I meant to say, is that after removing nfs-utils, there are no other crashes. The crash only seems to happen when verifying nfs-utils package.
Hmmm, this smells like the selinux MLS double free problem.
Created attachment 118233 [details] backtrace from rpmv -- glibc detected invalid pointer
I've confirmed the above backtrace also occurs for just verifying nfs-utils. It also happens for a non-root user, in case it matters. I note that the rpm -V almost finishes; assuming that the it's the same order as rpm -ql, the only files after the rmtab are: /var/lib/nfs/rpc_pipefs /var/lib/nfs/statd /var/lib/nfs/state /var/lib/nfs/xtab First few lines of bt mention libselinux: # rpm -qV nfs-utils ..?...... c /var/lib/nfs/etab ..?...... c /var/lib/nfs/rmtab *** glibc detected *** /usr/lib/rpm/rpmq: free(): invalid pointer: 0x08ee4730 *** ======= Backtrace: ========= /lib/libc.so.6[0xb67124] /lib/libc.so.6(__libc_free+0x77)[0xb6765f] /lib/libselinux.so.1(freecon+0x1d)[0xa0a91d] /usr/lib/librpm-4.4.so(rpmVerifyFile+0x5ed)[0x65c580] /usr/lib/librpm-4.4.so(showVerifyPackage+0x25c)[0x65ca53] /usr/lib/librpm-4.4.so(rpmcliShowMatches+0x3e)[0x636183] /usr/lib/librpm-4.4.so(rpmQueryVerify+0x22f)[0x636ed0] /usr/lib/librpm-4.4.so(rpmcliArgIter+0xa8)[0x63792d] /usr/lib/librpm-4.4.so(rpmcliVerify+0x8f)[0x65beef] /usr/lib/rpm/rpmq[0x8049ba2] /lib/libc.so.6(__libc_start_main+0xdf)[0xb18d5f] /usr/lib/rpm/rpmq[0x8049301]
I'm also having this problem as well as with the filesystem rpm. SELinux is enabled, but set to passive.
Please confirm if this occurs with rpm from FC5 test1
I'm not reporter but I've had similar problem. I've recompiled rpm-4.4.2-7.src.rpm from FC5-test1 and installed it and now I can do "rpm -Va" without a crash. My crash after "rpm -V filesystem" looked very similar to comment #5: *** glibc detected *** /usr/lib/rpm/rpmv: free(): invalid pointer: 0x08de15ee *** ======= Backtrace: ========= /lib/libc.so.6[0x202124] /lib/libc.so.6(__libc_free+0x77)[0x20265f] /lib/libselinux.so.1(freecon+0x1d)[0x38991d] /usr/lib/librpm-4.4.so(rpmVerifyFile+0x5ed)[0xc05580] /usr/lib/librpm-4.4.so(showVerifyPackage+0x25c)[0xc05a53] /usr/lib/librpm-4.4.so(rpmcliShowMatches+0x3e)[0xbdf183] /usr/lib/librpm-4.4.so(rpmQueryVerify+0x22f)[0xbdfed0] /usr/lib/librpm-4.4.so(rpmcliArgIter+0xa8)[0xbe092d] /usr/lib/librpm-4.4.so(rpmcliVerify+0x8f)[0xc04eef] /usr/lib/rpm/rpmv[0x8049ba2] /lib/libc.so.6(__libc_start_main+0xdf)[0x1b3d5f] /usr/lib/rpm/rpmv[0x8049301]
rpm -Va works fine on Rawhide with rpm-4.4.2-11.x86_64.
Please provide errata rpm package for FC4. "rpm -V" is very useful when upgrading, migrating etc. but it does not work now. Also, when rpm crashes, it can leave its database in locked state - it is not obvious that man have to unlock it with: rm -f /var/lib/rpm/__db.*