Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1359498 - supermin segfaults in strlen if RPMs are being installed at the same time
Summary: supermin segfaults in strlen if RPMs are being installed at the same time
Status: NEW
Alias: None
Product: Virtualization Tools
Classification: Community
Component: supermin
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-24 10:44 UTC by Richard W.M. Jones
Modified: 2016-07-24 19:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2016-07-24 10:44:23 UTC
Description of problem:

I observed supermin segfaulting.  At about the same time, I was
installing RPMs using the 'dnf' command.

The only information I have so far is that the crash seems to have
happened in strlen, possibly when calling strlen(NULL).

[6894014.038561] supermin[25953]: segfault at 1 ip 00007f00942e6516 sp 00007ffdb0c14ef8 error 4 in[7f009425b000+1bd000]

$ addr2line -e /lib64/ 8B516
        /* Test first 16 bytes unaligned.  */
        movdqu  (%rax), %xmm4   <--- segfault here

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

Unknown so far, but possibly running 'supermin --build' at the same time
as installing packages with 'dnf'.

Comment 1 Richard W.M. Jones 2016-07-24 19:25:21 UTC
I reproduced this by creating a Fedora 24 VM.  In one shell I did:

$ pkgs="util-linux libblkid libuuid libfdisk libmount libsmartcols"
$ while true; do sudo dnf -y update $pkgs; sudo dnf -y downgrade $pkgs; done

In another I did:

$ while ./src/supermin --build -o /tmp/appliance.d -f ext2 /usr/lib64/guestfs/supermin.d; do : ; done

I very quickly found the same problem:

supermin: rpm: lib: error: rpmdb: damaged header #772 retrieved -- skipping.
Segmentation fault (core dumped)

Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
106		movdqu	(%rax), %xmm4
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ff3019e5cb8 in indexGet (dbi=0x27c7390, 
    keyp=keyp@entry=0x1 <error: Cannot access memory at address 0x1>, 
    keylen=keylen@entry=0, set=set@entry=0x7fff430e7fe8) at rpmdb.c:232
#2  0x00007ff3019e85f8 in indexGet (set=0x7fff430e7fe8, keylen=0, 
    keyp=0x1 <error: Cannot access memory at address 0x1>, dbi=<optimized out>)
    at rpmdb.c:227
#3  indexIterInit (keylen=0, keyp=0x1, rpmtag=1000, db=0x2798d20)
    at rpmdb.c:1811
#4  rpmdbInitIterator (db=0x2798d20, rpmtag=rpmtag@entry=1000, 
    keyp=keyp@entry=0x1, keylen=keylen@entry=0) at rpmdb.c:1844
#5  0x00007ff301a11c6d in rpmtsInitIterator (ts=0x26376c0, rpmtag=1000, 
    keyp=0x1, keylen=0) at rpmts.c:230
#6  0x0000000000457a5d in supermin_rpm_installed (rpmv=140681626775456, pkgv=1)
    at librpm-c.c:200
#7  0x0000000000411977 in camlRpm__query_1242 ()
#8  0x00000000004128cf in camlRpm__rpm_package_of_string_1240 ()
#9  0x00000000004119c9 in camlRpm__fun_1584 ()
#10 0x000000000042617d in camlList__find_1202 ()
#11 0x0000000000412b65 in camlRpm__fun_1576 ()
#12 0x00000000004118fe in camlRpm__fun_1592 ()
#13 0x0000000000425703 in camlArray__fold_left_1093 ()
#14 0x0000000000412e5b in camlRpm__rpm_get_all_requires_1280 ()
#15 0x000000000040bc94 in camlBuild__build_1060 ()
#16 0x0000000000409dce in camlSupermin__main_1045 ()
#17 0x000000000040a238 in camlSupermin__entry ()
#18 0x0000000000405e79 in caml_program ()
#19 0x000000000047260e in caml_start_program ()
#20 0x00007ff301e594a1 in initialize_ext2_error_table_r (list=<optimized out>)
    at ext2_err.c:200
#21 0xcbf06bbb04544500 in ?? ()
#22 0x0000000000000002 in ?? ()
#23 0x0000000000000000 in ?? ()

Note You need to log in before you can comment on or make changes to this bug.