PR#17: Fix segfault in rpm2extents where headerFree() crashes trying to free uninitialized header value in process_package() if it exits early. - rpms/rpm

rpms / rpm

#17 Fix segfault in rpm2extents where headerFree() crashes trying to free uninitialized header value in process_package() if it exits early.

Merged 4 months ago by dcavalca. Opened 4 months ago by michal-grzedzicki.

rpms/ michal-grzedzicki/rpm c9s-sig-hyperscale into c9s-sig-hyperscale

Fix segfault in rpm2extents where headerFree() crashes trying to free uninitialized header value in process_package() if it exits early.

Michal Grzedzicki • 4 months ago

58b5f2

0035-rpmcow-fix-segfault-in-rpm2extents.patch

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ --- a/rpm2extents.c 2024-07-03 07:13:36.195332381 -0700`
		`+ +++ b/rpm2extents.c 2024-07-03 07:13:43.606553540 -0700`
		`+ @@ -269,7 +269,7 @@`
		`+`
		`+ FD_t fdo;`
		`+ FD_t gzdi;`
		`+ - Header h, sigh;`
		`+ + Header h=NULL, sigh=NULL;`
		`+ long fundamental_block_size = sysconf(_SC_PAGESIZE);`
		`+ rpmRC rc = RPMRC_OK;`
		`+ rpm_mode_t mode;`

rpm.spec

file modified

+5 -1

		`@@ -42,7 +42,7 @@`

		`%global rpmver 4.16.1.3`
		`#global snapver rc1`
		`- %global rel 25.1`
		`+ %global rel 25.2`
		`%global sover 9`

		`%global srcver %{rpmver}%{?snapver:-%{snapver}}`
		`@@ -195,6 +195,7 @@`
		`Patch9932: 0032-rpmcow-workaround.patch`
		`Patch9933: 0033-rpmcow-fix-stack-overflow-in-rpm2extents.patch`
		`Patch9934: 0034-rpmcow-fix-issue-for-transaction-with-transcoded-and-untranscoded-packages.patch`
		`+ Patch9935: 0035-rpmcow-fix-segfault-in-rpm2extents.patch`
		`Provides: rpm(pr1470)`
		`Provides: rpm(pr1470_1)`

		`@@ -794,6 +795,9 @@`
		`%doc doc/librpm/html/*`

		`%changelog`
		`+ * Wed Jul 3 2024 Michal Grzedzicki <mge@meta.com> - 4.16.1.3-25.2`
		`+ - Fix segfault in rpm2extents`
		`+`
		`* Thu Aug 17 2023 Richard Phibel <richardphibel@meta.com> - 4.16.1.3-25.1`
		`- Merge upstream changes for Hyperscale`

michal-grzedzicki commented 4 months ago

On empty input h and sigh variables remain uninitialised and headerFree() crashes trying to free those values in process_package().

# rpm2extents SHA256 < /dev/null
error: [pipe:[74144223]]: read failed: Illegal seek (29)

warning: Error verifying package signatures:

# dmesg
[70597.229393] rpm2extents[2799146]: segfault at 40000000224 ip 00007fb9b3a0f114 sp 00007ffc7718da00 error 4 in librpm.so.9.1.3[7fb9b3a08000+4e000] likely on CPU 22 (core 26, socket 0)
[70597.239389] Code: 74 04 83 47 24 01 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 85 ff 0f 84 bb 00 00 00 41 54 49 89 fc 55 53 <8b> 47 24 83 e8 01 89 47 24 85 c0 0f 8f 95 00 00 00 48 8b 6f 08 48