[Bug 1213277] New: rpm crashes when passed invalid file
https://bugzilla.suse.com/show_bug.cgi?id=1213277 Bug ID: 1213277 Summary: rpm crashes when passed invalid file Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: mls@suse.com Reporter: jslaby@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 868175 --> https://bugzilla.suse.com/attachment.cgi?id=868175&action=edit _buildenv Run rpm with the attached file: # rpm -Fvh _buildenv Program received signal SIGSEGV, Segmentation fault. I did rpm -Fvh * in a directory created by "osc getbinaries". I know I should've used *.rpm, but rpm should not crash when passed bad files. It looks like it recurses in glob() to death:
#0 0x00007ffff7f0d934 in glob ( pattern=pattern@entry=0x7fffff81ce80 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags@entry=5152, pglob=pglob@entry=0x7fffffffb5d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:165 #1 0x00007ffff7f0e2fc in glob ( pattern=pattern@entry=0x7fffff83f090 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags@entry=5152, pglob=pglob@entry=0x7fffffffb5d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213 #2 0x00007ffff7f0e2fc in glob ( pattern=pattern@entry=0x7fffff8612a0 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags@entry=5152, pglob=pglob@entry=0x7fffffffb5d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213 ... #58 0x00007ffff7f0e2fc in glob ( pattern=pattern@entry=0x7ffffffd92d0 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags@entry=5152, pglob=pglob@entry=0x7fffffffb5d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213 #59 0x00007ffff7f0e2fc in glob ( pattern=0x7ffff7596fc4 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags@entry=5120, pglob=pglob@entry=0x7fffffffb5d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213 #60 0x00007ffff7f0f073 in rpmGlob ( patterns=patterns@entry=0x7ffff75dd010 "<buildinfo project=\"graphics:gimp:master\" repository=\"openSUSE_Tumbleweed\" package=\"maxflow\"> <arch>x86_64</arch> <srcmd5>59b2ebc06df29ffc1e28e301625e9be2</srcmd5> <verifymd5>59b2ebc06df29ffc1e28e3016"..., argcPtr=argcPtr@entry=0x7fffffffb73c, argvPtr=argvPtr@entry=0x7fffffffb740) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:864 #61 0x00007ffff7f4b45a in rpmReadPackageManifest (fd=<optimized out>, argcPtr=0x5555555728e8, argvPtr=0x5555555728f0) at /usr/src/debug/rpm-4.18.0/lib/manifest.c:121 #62 0x00007ffff7f667b3 in tryReadManifest (eiu=0x5555555728b0) at /usr/src/debug/rpm-4.18.0/lib/rpminstall.c:333 #63 rpmInstall (ts=ts@entry=0x555555571b30, ia=<optimized out>, fileArgv=<optimized out>) at /usr/src/debug/rpm-4.18.0/lib/rpminstall.c:565 #64 0x00005555555567e1 in main (argc=3, argv=<optimized out>) at /usr/src/debug/rpm-4.18.0/rpm.c:274 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213277 https://bugzilla.suse.com/show_bug.cgi?id=1213277#c1 Michael Schröder <mls@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #1 from Michael Schröder <mls@suse.com> --- The manifest reading code in rpm-4.18 is a bit... peculiar. It works by joining all the lines into one string and then splitting them again via a call to popt. Popt knows about quoting, so the single quote of the "didn't" is matched against the next single quote resulting in a quite long string. This string is then fed into rpm's internal glob implementation, which is a very outdated copy from the glibc implementation. This code then tries to expand any {} constructs, leading the quite a bit of recursion. Plus, the patterns are using stack space via "char onealt[strlen(pattern) - 1];". So it's not surprising that this runs into the stack limit. All this already has been fixed in rpm-upstream, so the upcoming rpm update for Fectory will no longer run into this. And as this is not a security problem I will not try to backport the (quite big) changeset. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213277 https://bugzilla.suse.com/show_bug.cgi?id=1213277#c2 Jan Engelhardt <jengelh@inai.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh@inai.de --- Comment #2 from Jan Engelhardt <jengelh@inai.de> --- https://github.com/rpm-software-management/rpm/issues/2605 https://github.com/rpm-software-management/rpm/commit/66fa46c006bae0f28d9323... -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com