#23813 – Падает с Segmentation fault

Bug 23813 - Падает с Segmentation fault

Summary: Падает с Segmentation fault

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	rpm-build (show other bugs)
Version:	unstable
Hardware:	x86 Linux

Importance:	P3 normal
Assignee:	placeholder@altlinux.org
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-07-26 18:14 MSD by Ivan Fedorov
Modified:	2010-08-06 04:58 MSD (History)
CC List:	7 users (show)

See Also:

Attachments
минимальный спек на котором падает (163 bytes, application/octet-stream) 2010-07-26 18:14 MSD, Ivan Fedorov	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ivan Fedorov 2010-07-26 18:14:14 MSD

Created attachment 4466 [details]
минимальный спек на котором падает

$ rpm -bb segfault.spec 
Processing files: segfault-1.0-alt1
Segmentation fault

Comment 1 Andrey Rahmatullin 2010-07-26 18:43:35 MSD

Раз уж у меня в системе rpm с дебагом...


(gdb) bt
#0  0x4efa1f91 in strlen () from /lib/libc.so.6
#1  0xb7f703e3 in parseForSimple (spec=0x80763d0, pkg=0x8075108, buf=0xbfff8bec "%dir", fl=0xbfff7b0c, fileName=0xbfff8bd8) at files.c:893
#2  0xb7f737b7 in processPackageFiles (spec=0x80763d0, pkg=0x8075108, installSpecialDoc=4, test=0) at files.c:2013
#3  0xb7f76c26 in processBinaryFiles (spec=0x80763d0, installSpecialDoc=4, test=0) at files.c:3228
#4  0xb7f6cb0d in buildSpec (spec=0x80763d0, what=159, test=0) at build.c:340
#5  0x0804abcf in buildForTarget (arg=0xbffff213 "tmp/segfault.spec", ba=0x804e500, passPhrase=0x804c964 "", cookie=0x0) at build.c:311
#6  0x0804acbe in build (arg=0xbffff213 "tmp/segfault.spec", ba=0x804e500, passPhrase=0x804c964 "", cookie=0x0, rcfile=0x0) at build.c:336
#7  0x0804c112 in main (argc=3, argv=0xbffff004) at rpmqv.c:1038

(gdb) fr 1
#1  0xb7f703e3 in parseForSimple (spec=0x80763d0, pkg=0x8075108, buf=0xbfff8bec "%dir", fl=0xbfff7b0c, fileName=0xbfff8bd8) at files.c:893
893                 fl->docDirs[fl->docDirCount++] = xstrdup(s);
(gdb) p s
$1 = 0x0
(gdb) list
888                 if (fl->docDirCount == MAXDOCDIR) {
889                     rpmError(RPMERR_INTERNAL, _("Hit limit for %%docdir\n"));
890                     fl->processingFailed = 1;
891                     res = 1;
892                 }
893                 fl->docDirs[fl->docDirCount++] = xstrdup(s);
894                 if (strtokWithQuotes(NULL, " \t\n")) {
895                     rpmError(RPMERR_INTERNAL, _("Only one arg for %%docdir\n"));
896                     fl->processingFailed = 1;
897                     res = 1;

Мало того, что xstrdup не проверяет параметр на NULL, сразу суя его в strlen(3), так код, проверяющий результат strtokWithQuotes, соседствует с кодом, его не проверяющим.

Comment 2 Ivan Fedorov 2010-07-26 19:17:34 MSD

(В ответ на комментарий №1)
> Раз уж у меня в системе rpm с дебагом...

Как??? Я за 15-ть минут не нашел, хотя ldv@ сказал что там "всё просто" включается... :(

Comment 3 Andrey Rahmatullin 2010-07-26 19:21:29 MSD

gear-hsh --build-args="--enable debug"

Comment 4 Repository Robot 2010-08-06 04:58:29 MSD

rpm-4.0.4-alt98.40 -> sisyphus:

* Thu Aug 05 2010 Alexey Tourbin <at@altlinux> 4.0.4-alt98.40
- build/files.c (parseForSimple): Fix potential NULL pointer dereference
  (Dmitry V. Levin, ALT#23813).
- depends.c (dbSatisfiesDepend): Use strdup for dbProvCache keys
  to avoid dangling pointers (ALT#23813).