RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1652604 - There is an illegal address access at src/pool.h:331 pool_whatprovides in libsolv.
Summary: There is an illegal address access at src/pool.h:331 pool_whatprovides in lib...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libsolv
Version: 8.1
Hardware: All
OS: All
Target Milestone: rc
: 8.0
Assignee: Jaroslav Rohel
QA Contact: Karel Srot
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-22 13:08 UTC by shuitao gan
Modified: 2019-06-14 01:46 UTC (History)
4 users (show)

Fixed In Version: libsolv-0.6.35-4.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-14 01:46:42 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
./testsolv POC1 (711 bytes, application/octet-stream)
2018-11-22 13:08 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-11-22 13:08:22 UTC
Created attachment 1507933 [details]
./testsolv POC1

version: libsolv2.4

There is an illegal address access at src/pool.h:331 pool_whatprovides in libsolv.


The asan debug is as follows:

$./testsolv POC1

==37277==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0)
    #0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331
    #1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793
    #2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807
    #3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
    #4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/company/real_sanitize/libsolv-master/src/pool.h:331 pool_whatprovides

Comment 2 Jaroslav Rohel 2018-12-11 07:19:50 UTC
Please, which version of libsolv do you have? The "libsolv2.4" seems strange.
In RHEL 8 is "libsolv-0.6.35".

Comment 3 Jaroslav Rohel 2018-12-11 13:10:24 UTC
PR https://github.com/openSUSE/libsolv/pull/291

Comment 5 Nicholas Luedtke 2018-12-31 17:27:40 UTC
Appears to be CVE-2018-20534.

Note You need to log in before you can comment on or make changes to this bug.