Bug 442761 - *** glibc detected *** /usr/lib/rpm/rpmk: free(): invalid next size (normal): 0x0000000001f5fee0 ***
*** glibc detected *** /usr/lib/rpm/rpmk: free(): invalid next size (normal):...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Panu Matilainen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-16 13:19 EDT by Bill Nottingham
Modified: 2014-03-16 23:14 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-07 04:28:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2008-04-16 13:19:33 EDT
Description of problem:

konq-plugins-4.0.3-0.1.20080409svn.fc9.ppc.rpm:
gpg: WARNING: standard input reopened
*** glibc detected *** /usr/lib/rpm/rpmk: free(): invalid next size (normal):
0x0000000001f5fee0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x305fc78158]
/lib64/libc.so.6(cfree+0x76)[0x305fc7a796]
/lib64/libc.so.6(qsort_r+0x308)[0x305fc34ee8]
/usr/lib64/librpmdb-4.4.so[0x3061c2b12f]
/usr/lib64/librpmdb-4.4.so[0x3061c2cd44]
/usr/lib64/librpmdb-4.4.so[0x3061c2d7e1]
/usr/lib64/librpm-4.4.so[0x3062446e09]
/usr/lib64/librpm-4.4.so(rpmAddSignature+0x20a)[0x30624472fa]
/usr/lib64/librpm-4.4.so[0x306242e08b]
/usr/lib64/librpm-4.4.so(rpmcliSign+0x24d)[0x306242fbfd]
/usr/lib/rpm/rpmk[0x401f5e]
/lib64/libc.so.6(__libc_start_main+0xfa)[0x305fc1e32a]
/usr/lib/rpm/rpmk[0x401859]
======= Memory map: ========
00110000-00126000 r-xp 00000000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00126000-00325000 ---p 00016000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00325000-00326000 rw-p 00015000 08:02 10971936                          
/lib64/libgcc_s-4.3.0-20080416.so.1
00400000-00403000 r-xp 00000000 08:02 9727600                           
/usr/lib/rpm/rpmk
00602000-00604000 rw-p 00002000 08:02 9727600                           
/usr/lib/rpm/rpmk
00604000-0063d000 r-xp 00000000 08:02 10972059                          
/lib64/libsoftokn3.so
0063d000-0083c000 ---p 00039000 08:02 10972059                          
/lib64/libsoftokn3.so
0083c000-0083e000 rw-p 00038000 08:02 10972059                          
/lib64/libsoftokn3.so
0083e000-00890000 r-xp 00000000 08:02 9481928                           
/lib64/libfreebl3.so
00890000-00a90000 ---p 00052000 08:02 9481928                           
/lib64/libfreebl3.so
00a90000-00a91000 rw-p 00052000 08:02 9481928                           
/lib64/libfreebl3.so
01eab000-01f80000 rw-p 01eab000 00:00 0                                  [heap]
305f800000-305f81d000 r-xp 00000000 08:02 9481853                       
/lib64/ld-2.8.so
305fa1c000-305fa1d000 r--p 0001c000 08:02 9481853                       
/lib64/ld-2.8.so
305fa1d000-305fa1e000 rw-p 0001d000 08:02 9481853                       
/lib64/ld-2.8.so
305fc00000-305fd62000 r-xp 00000000 08:02 11004774                      
/lib64/libc-2.8.so
305fd62000-305ff62000 ---p 00162000 08:02 11004774                      
/lib64/libc-2.8.so
305ff62000-305ff66000 r--p 00162000 08:02 11004774                      
/lib64/libc-2.8.so
305ff66000-305ff67000 rw-p 00166000 08:02 11004774                      
/lib64/libc-2.8.so
305ff67000-305ff6c000 rw-p 305ff67000 00:00 0 
3060000000-3060084000 r-xp 00000000 08:02 11004857                      
/lib64/libm-2.8.so
3060084000-3060283000 ---p 00084000 08:02 11004857                      
/lib64/libm-2.8.so
3060283000-3060284000 r--p 00083000 08:02 11004857                      
/lib64/libm-2.8.so
3060284000-3060285000 rw-p 00084000 08:02 11004857                      
/lib64/libm-2.8.so
3060400000-3060402000 r-xp 00000000 08:02 11004848                      
/lib64/libdl-2.8.so
3060402000-3060602000 ---p 00002000 08:02 11004848                      
/lib64/libdl-2.8.so
3060602000-3060603000 r--p 00002000 08:02 11004848                      
/lib64/libdl-2.8.so
3060603000-3060604000 rw-p 00003000 08:02 11004848                      
/lib64/libdl-2.8.so
3060800000-3060816000 r-xp 00000000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060816000-3060a15000 ---p 00016000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a15000-3060a16000 r--p 00015000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a16000-3060a17000 rw-p 00016000 08:02 11004860                      
/lib64/libpthread-2.8.so
3060a17000-3060a1b000 rw-p 3060a17000 00:00 0 
3060c00000-3060c1a000 r-xp 00000000 08:02 11004849                      
/lib64/libselinux.so.1
3060c1a000-3060e19000 ---p 0001a000 08:02 11004849                      
/lib64/libselinux.so.1
3060e19000-3060e1a000 r--p 00019000 08:02 11004849                      
/lib64/libselinux.so.1
3060e1a000-3060e1b000 rw-p 0001a000 08:02 11004849                      
/lib64/libselinux.so.1
3060e1b000-3060e1c000 rw-p 3060e1b000 00:00 0 
3061000000-3061015000 r-xp 00000000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061015000-3061214000 ---p 00015000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061214000-3061215000 rw-p 00014000 08:02 11004856                      
/lib64/libz.so.1.2.3
3061400000-3061463000 r-xp 00000000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061463000-3061662000 ---p 00063000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061662000-3061667000 rw-p 00062000 08:02 4437905                       
/usr/lib64/librpmio-4.4.so
3061667000-3061689000 rw-p 3061667000 00:00 0 
3061800000-3061807000 r-xp 00000000 08:02 11004862                      
/lib64/librt-2.8.so
3061807000-3061a07000 ---p 00007000 08:02 11004862                      
/lib64/librt-2.8.so
3061a07000-3061a08000 r--p 00007000 08:02 11004862                      
/lib64/librt-2.8.so
3061a08000-3061a09000 rw-p 00008000 08:02 11004862                      
/lib64/librt-2.8.so
3061c00000-3061d19000 r-xp 00000000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061d19000-3061f18000 ---p 00119000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061f18000-3061f1f000 rw-p 00118000 08:02 5634596                       
/usr/lib64/librpmdb-4.4.so
3061f1f000-3061f20000 rw-p 3061f1f000 00:00 0 
3062400000-306245c000 r-xp 00000000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
306245c000-306265b000 ---p 0005c000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
306265b000-3062660000 rw-p 0005b000 08:02 4438127                       
/usr/lib64/librpm-4.4.so
3062660000-3062693000 rw-p 3062660000 00:00 0 
306e000000-306e008000 r-xp 00000000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306e008000-306e208000 ---p 00008000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306e208000-306e209000 rw-p 00008000 08:02 11004879                      
/lib64/libpopt.so.0.0.0
306f400000-306f46c000 r-xp 00000000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f46c000-306f66c000 ---p 0006c000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f66c000-306f66f000 rw-p 0006c000 08:02 281896                        
/usr/lib64/libsqlite3.so.0.8.6
306f800000-306f813000 r-xp 00000000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306f813000-306fa12000 ---p 00013000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306fa12000-306fa13000 r--p 00012000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
306fa13000-306fa14000 rw-p 00013000 08:02 4438077                       
/usr/lib64/libelf-0.133.so
3070000000-3070003000 r-xp 00000000 08:02 11004889                      
/lib64/libplds4.so
3070003000-3070202000 ---p 00003000 08:02 11004889                      
/lib64/libplds4.so
3070202000-3070203000 rw-p 00002000 08:02 11004889                      
/lib64/libplds4.so
3071800000-3071804000 r-xp 00000000 08:02 11004890                      
/lib64/libplc4.so
3071804000-3071a03000 ---p 00004000 08:02 11004890                      
/lib64/libplc4.so
3071a03000-3071a04000 rw-p 00003000 08:02 11004890                      
/lib64/libplc4.so
3071c00000-3071c37000 r-xp 00000000 08:02 11004888                      
/lib64/libnspr4.so
3071c37000-3071e37000 ---p 00037000 08:02 11004888                      
/lib64/libnspr4.so
3071e37000-3071e39000 rw-p 00037000 08:02 11004888                      
/lib64/libnspr4.so
3071e39000-3071e3c000 rw-p 3071e39000 00:00 0 
3072400000-3072541000 r-xp 00000000 08:02 11004893                      
/lib64/libnss3.so
3072541000-3072740000 ---p 00141000 08:02 11004893                      
/lib64/libnss3.so
3072740000-3072749000 rw-p 00140000 08:02 11004893                      
/lib64/libnss3.so
3072749000-307274a000 rw-p 3072749000 00:00 0 
3075800000-3075818000 r-xp 00000000 08:02 11004892                      
/lib64/libnssutil3.so
3075818000-3075a18000 ---p 00018000 08:02 11004892                      
/lib64/libnssutil3.so
3075a18000-3075a1d000 rw-p 00018000 08:02 11004892                      
/lib64/libnssutil3.so
34f0800000-34f080f000 r-xp 00000000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
34f080f000-34f0a0e000 ---p 0000f000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
34f0a0e000-34f0a10000 rw-p 0000e000 08:02 10971925                      
/lib64/libbz2.so.1.0.4
7f8748000000-7f8748021000 rw-p 7f8748000000 00:00 0 
7f8748021000-7f874c000000 ---p 7f8748021000 00:00 0 
7f874ccf0000-7f87518a1000 r--p 00000000 08:02 361150                    
/usr/lib/locale/locale-archive

Happened when signing a package.

Version-Release number of selected component (if applicable):

rpm-4.4.2.3-1.fc9.x86_64
glibc-2.8-1.x86_64

How reproducible:

Every time.
Comment 1 Bill Nottingham 2008-04-16 13:38:01 EDT
[Switching to Thread 0x7f44ba60a780 (LWP 8895)]
0x000000305fc32215 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x000000305fc32215 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x000000305fc33d83 in abort () at abort.c:88
#2  0x000000305fc72858 in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x000000305fc78158 in malloc_printerr (action=<value optimized out>,
str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949
#4  0x000000305fc7a796 in __libc_free (mem=<value optimized out>) at malloc.c:3625
#5  0x000000305fc34ee8 in qsort_r (b=<value optimized out>, n=<value optimized
out>, s=<value optimized out>, cmp=<value optimized out>, arg=<value optimized out>)
    at msort.c:296
#6  0x0000003061c2b12f in headerSort (h=<value optimized out>) at header.c:266
#7  0x0000003061c2cd44 in doHeaderUnload (h=<value optimized out>,
lengthPtr=<value optimized out>) at header.c:859
#8  0x0000003061c2d7e1 in headerWrite (fd=<value optimized out>, h=<value
optimized out>, magicp=<value optimized out>) at header.c:1348
#9  0x0000003062446e09 in makeHDRSignature (sigh=<value optimized out>,
file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value
optimized out>)
    at ../rpmdb/hdrinline.h:220
#10 0x00000030624472fa in rpmAddSignature (sigh=<value optimized out>,
file=<value optimized out>, sigTag=<value optimized out>, passPhrase=<value
optimized out>)
    at signature.c:842
#11 0x000000306242e08b in rpmReSign (ts=<value optimized out>, qva=<value
optimized out>, argv=<value optimized out>) at rpmchecksig.c:329
#12 0x000000306242fbfd in rpmcliSign (ts=<value optimized out>, qva=<value
optimized out>, argv=<value optimized out>) at rpmchecksig.c:1079
#13 0x0000000000401f5e in main (argc=5, argv=<value optimized out>) at ./rpmqv.c:840
Comment 2 Bill Nottingham 2008-04-16 13:42:05 EDT
valgrind says:
Pass phrase is good.
gpg: WARNING: standard input reopened
==9094== 
==9094== Invalid read of size 4
==9094==    at 0x3061C2BC8B: regionSwab (header.c:563)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd
==9094==    at 0x4A0739E: malloc (vg_replace_malloc.c:207)
==9094==    by 0x3061C2C8B8: doHeaderUnload (header.c:704)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094== 
==9094== Invalid write of size 4
==9094==    at 0x3061C2BC91: regionSwab (header.c:563)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508a648 is 0 bytes after a block of size 150,440 alloc'd
==9094==    at 0x4A0739E: malloc (vg_replace_malloc.c:207)
==9094==    by 0x3061C2C8B8: doHeaderUnload (header.c:704)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094== 
==9094== Invalid read of size 1
==9094==    at 0x3061C2A647: dataLength (header.c:415)
==9094==    by 0x3061C2BB3F: regionSwab (header.c:513)
==9094==    by 0x3061C2CA3D: doHeaderUnload (header.c:777)
==9094==    by 0x3061C2D7E0: headerWrite (header.c:1348)
==9094==    by 0x3062446E08: makeHDRSignature (hdrinline.h:220)
==9094==    by 0x30624472F9: rpmAddSignature (signature.c:842)
==9094==    by 0x306242E08A: rpmReSign (rpmchecksig.c:329)
==9094==    by 0x306242FBFC: rpmcliSign (rpmchecksig.c:1079)
==9094==    by 0x401F5D: main (rpmqv.c:840)
==9094==  Address 0x508ca84 is not stack'd, malloc'd or (recently) free'd
--9094-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--9094-- si_code=1;  Faulting address: 0xA6B1C158;  sp: 0x402E8BE50

valgrind: the 'impossible' happened:
   Killed by fatal signal
==9094==    at 0x3802421D: vgPlain_arena_malloc (m_mallocfree.c:206)
==9094==    by 0x38002A75: vgMemCheck_new_block (mc_malloc_wrappers.c:195)
==9094==    by 0x38002E74: vgMemCheck_malloc (mc_malloc_wrappers.c:226)
==9094==    by 0x38038051: vgPlain_scheduler (scheduler.c:1269)
==9094==    by 0x38048620: run_a_thread_NORETURN (syswrap-linux.c:89)

Comment 3 Bill Nottingham 2008-04-16 13:54:41 EDT
test rpm is at http://notting.fedorapeople.org/test.rpm
Comment 4 Kevin Kofler 2008-04-16 14:04:11 EDT
Looks like this package got corrupted by the build system file system issues. 
The way RPM reacts to it scares me though, looks like a potential security 
hole!
Comment 5 Panu Matilainen 2008-04-18 02:01:30 EDT
Yup, easily reproduced. The package is corrupted alright and other paths notice
something funny about it:
[pmatilai@localhost rpm-4.4.x]$ ./rpmk -Kvv /tmp/test.rpm 
D: Expected size:      1625030 = lead(96)+sigs(180)+pad(4)+data(1624750)
D:   Actual size:      1625030
error: /tmp/test.rpm: headerGetEntry failed
D: May free Score board((nil))

[pmatilai@localhost rpm-4.4.x]$ ./rpmq -qp /tmp/test.rpm 
warning: /tmp/test.rpm: Header SHA1 digest: NOKEY
konq-plugins-4.0.3-0.1.20080409svn.fc9.ppc
Comment 6 Panu Matilainen 2008-05-08 02:11:29 EDT
Fixed upstream.
Comment 7 Bug Zapper 2008-05-14 05:32:32 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Panu Matilainen 2008-07-14 08:08:35 EDT
Fixed by the new rpm in rawhide, but deserves a fix in 4.4.x branch (and F8+9)
too...
Comment 9 Fedora Update System 2008-12-17 19:37:05 EST
rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update rpm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11390
Comment 10 Fedora Update System 2009-01-07 04:28:31 EST
rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.