Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 83315 - crash when reading package header on some bad formed files.
Summary: crash when reading package header on some bad formed files.
Keywords:
Status: CLOSED DUPLICATE of bug 83320
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: librpm404
Version: 8.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-02 12:08 UTC by Fabrice Bellet
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 18:51:33 UTC


Attachments (Terms of Use)

Description Fabrice Bellet 2003-02-02 12:08:01 UTC
Description of problem:

rpm2html crashes when reading package header of some wrong formed RPMS
packages, using librpm404 (rpm-4.1 is safe, but I cannot use it to 
reindex my whole rpm database on fr2.rpmfind.net, because there are
performance issues. The same amount of input rpm requires 4 hours
processing with rpm-4.0.4, and 12 hours with rpm-4.1 libs)

Version-Release number of selected component (if applicable):
Red Hat 8.0, librpm4.0.4

How reproducible:

when rpm2html parses bad formed RPM packages, for example in
ftp3.sourceforge.net/pub/sourceforge/celticlegend/celticlegends-0.11-beta.i386.rpm

The stack is :

rpm2html: indexing /var/ftp/linux/sourceforge
indexing SourceForge
Scanning directory /var/ftp/linux/sourceforge for RPMs
warning: Expected size:      1291231 = lead(96)+sigs(100)+pad(4)+data(1291031)
warning:   Actual size:      1294910

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 31269)]
0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, 
    dataStart=0x8083f58 "", regionid=-800) at header.c:470
470                     *it = htons(*it);
(gdb) bt
#0  0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, 
    dataStart=0x8083f58 "", regionid=-800) at header.c:470
#1  0x4011fc4e in headerLoad (uh=0x8083c30) at header.c:931
#2  0x401203a7 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES)
    at header.c:1168
#3  0x40127aa3 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES)
    at hdrinline.h:203
#4  0x401276c3 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, 
    sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:182
#5  0x40127975 in rpmReadPackageHeader (fd=0x80818c8, hdrp=0xbffff2c8, 
    isSource=0xbffff2cc, major=0x0, minor=0x0) at package.c:266
#6  0x08059729 in rpmOpen (
    nameRpm=0x80808eb "celticlegends-0.11-beta.i386.rpm", dir=0x807be08, 
    tree=0x8080808) at rpmopen.c:1022
#7  0x08059bd3 in rpmOneDirScan (dir=0x807be08, tree=0x8080808)
    at rpmopen.c:1244
#8  0x08059b92 in rpmOneDirScan (dir=0x807be08, tree=0x807f740)
    at rpmopen.c:1271
#9  0x08059d37 in rpmDirScan (dir=0x807be08, tree=0x806c7e0) at rpmopen.c:1309
#10 0x0805a060 in rpmDirScanOneDir (directory=0x807be08 "P¼\a\b")
    at rpmopen.c:1446
#11 0x08055661 in main (argc=4, argv=0xbffff8b4) at rpm2html.c:180
#12 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

(gdb) b rpmReadSignature
Breakpoint 1 at 0x4013a72c: file signature.c, line 160.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/bellet/cvs/rpm2html-rpm404/rpm2html -dir
/var/ftp/linux/sourceforge rpm2html-local.config
Breakpoint 1 at 0x8049938
Breakpoint 1 at 0x4013a72c: file signature.c, line 160.
[New Thread 8192 (LWP 31408)]
error: Unable to open /usr/local/lib/rpm/rpmrc for reading: No such file or
directory.
rpm2html: indexing /var/ftp/linux/sourceforge
indexing SourceForge
Scanning directory /var/ftp/linux/sourceforge for RPMs
[Switching to Thread 8192 (LWP 31408)]

Breakpoint 1, rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, 
    sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160
160         Header h = NULL;
(gdb) finish
Run till exit from #0  rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, 
    sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160
warning: Expected size:      1291231 = lead(96)+sigs(100)+pad(4)+data(1291031)
warning:   Actual size:      1294910
0x40127687 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, 
    sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:179
179             rc = rpmReadSignature(fd, sigs, lead->signature_type);
Value returned is $1 = RPMRC_BADSIZE
(gdb) 

--> A possible patch is to exit from readPackageHeaders() when
rpmReadSignature() returns RPMRC_BADSIZE.

--- rpm-4.0.3/lib/package.c.bak Wed Jul 11 04:05:22 2001
+++ rpm-4.0.3/lib/package.c     Sun Nov 25 02:19:07 2001
@@ -135,7 +135,7 @@
     case 3:
     case 4:
        rc = rpmReadSignature(fd, sigs, lead->signature_type);
-       if (rc == RPMRC_FAIL)
+       if (rc == RPMRC_FAIL || rc == RPMRC_BADSIZE)
            return rc;
        *hdr = headerRead(fd, (lead->major >= 3)
                          ? HEADER_MAGIC_YES : HEADER_MAGIC_NO);

Comment 1 Jeff Johnson 2003-02-02 13:53:35 UTC
Avoiding segfaults when fed random data is (of course)
the entire reason why rpm-4.1 verifies signatures/digests
when reading headers. I'm almost certain that this segfault
is -- like most segfaults in rpm -- caused by bad data in
headers.

Returning RPMRC_BADSIZE is certainly doable, but is a little
trickier than above.

If rpm-4.1 "works" performs equivalently to rpm-4.0.4 with
signature/digest checking disabled (it should), then I suggest
fixing the problem there, not in rpm-4.0.4.

Comment 2 Jeff Johnson 2003-02-02 13:55:26 UTC

*** This bug has been marked as a duplicate of 83320 ***

Comment 3 Red Hat Bugzilla 2006-02-21 18:51:33 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.


Note You need to log in before you can comment on or make changes to this bug.