Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162037 - Crash when verifying a package that owns files in tmp dir
Summary: Crash when verifying a package that owns files in tmp dir
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 4
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
: 173885 176543 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-29 12:07 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-10-25 23:17:33 UTC

Attachments (Terms of Use)
Reproducer specfile (deleted)
2005-06-29 12:07 UTC, Ville Skyttä
no flags Details
Console output of the crash (deleted)
2005-06-29 12:08 UTC, Ville Skyttä
no flags Details
gdb backtrace (deleted)
2005-06-29 12:09 UTC, Ville Skyttä
no flags Details

Description Ville Skyttä 2005-06-29 12:07:16 UTC
When doing a "rpm -V" on an installed package that owns files in /tmp  
or /var/tmp, rpmv crashes.  This is rpm-4.4.1-21 on FC4. 
The crash also leaves rpmdb locked, and the usual rm /var/lib/rpm/__db* helps. 
This seems to be a pathological case, as it seems to happen only with /tmp  
and /var/tmp, but a crash is a crash...

Comment 1 Ville Skyttä 2005-06-29 12:07:17 UTC
Created attachment 116117 [details]
Reproducer specfile

Comment 2 Ville Skyttä 2005-06-29 12:08:33 UTC
Created attachment 116118 [details]
Console output of the crash

Comment 3 Ville Skyttä 2005-06-29 12:09:35 UTC
Created attachment 116120 [details]
gdb backtrace

Comment 4 Paul Nasrat 2005-06-29 12:24:15 UTC
Looks like the Fedora specific matchpathcon stuff, I'll investigate thanks.

Comment 5 Paul Nasrat 2005-06-29 12:27:57 UTC
Are you running with selinux, can you also do:

ls -lZ /tmp/crashme

Comment 6 Ville Skyttä 2005-06-29 13:09:42 UTC
Yep, selinux-policy-targeted-1.23.18-12 and enforcing. 
$ ls -lZ /tmp/crashme 
-rw-r--r--  root     root     root:object_r:tmp_t              /tmp/crashme 

Comment 7 Ville Skyttä 2005-06-29 13:14:33 UTC
I also see that I posted mismatching specfile (package "test4") and backtraces 
(from "rpm -V test"), that was the result of trying to minimize the case and 
losing track of the "generations" while at it.  Sorry about that.  Anyway, the 
attached specfile in comment 1 can still be used to reproduce the crash here. 

Comment 8 Paul Nasrat 2005-08-26 22:36:57 UTC
Thanks for reproducer and tracebacks, I have a patch that I'm testing will be in
rawhide 4.4.2-4.  This is in the fedora matchpathcon selinux impl not in
upstream rpm, basically unchecked path.

If you can test I'll try and get a fix to FC4.

Comment 9 Jeff Johnson 2005-08-27 04:23:53 UTC
Either there's still a segfault in strcmp, or con is never NULL:
diff -u rpm-4.4.2/lib/verify.c rpm-4.4.2/lib/verify.c
--- rpm-4.4.2/lib/verify.c      2005-07-21 16:47:11.000000000 -0400
+++ rpm-4.4.2/lib/verify.c      2005-08-26 12:23:35.000000000 -0400
@@ -138,8 +138,10 @@

            if (fcontext == NULL || strcmp(fcontext, con))
                *res |= RPMVERIFY_CONTEXTS;
-           freecon(con);
-            freecon(fcontext); 
+            if (con != NULL)
+               freecon(con);
+            if (fcontext != NULL)
+                freecon(fcontext); 


Comment 10 Jeff Johnson 2005-08-27 04:29:01 UTC
The rpm-4.4.2-matchpathcon.patch patch breaks --without-selinux gratuitously, and *still*
does not use dlopen().

Comment 11 Ville Skyttä 2005-09-01 18:05:16 UTC
Thanks for looking into this.  But I don't have a Rawhide box to test with, 
and FWIW, I don't think this is necessarily serious enough a problem to 
warrant an FC4 erratum. 

Comment 12 Paul Nasrat 2005-09-22 18:03:19 UTC
Ville tomorrows rawhide rpm should work better.

Comment 13 Jeff Johnson 2005-10-25 23:17:33 UTC
This problem is presumably fixed.

Comment 14 Paul Nasrat 2006-03-29 22:09:54 UTC
*** Bug 176543 has been marked as a duplicate of this bug. ***

Comment 15 Paul Nasrat 2006-03-29 22:15:28 UTC
*** Bug 173885 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.