I have a cowbuilder chroot last updated (apparently) on Apr 19. apt-get
update reproducibly breaks there after downloading
2012-04-24-0810.46.pdiff.
This is its /var/lib/apt/lists/ before running apt-get update:
209595 Apr 19 14:21 mirror.yandex.ru_debian_dists_sid_InRelease
28961833 Apr 19 14:16 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages
7876 Apr 19 14:16 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.IndexDiff
2223 Apr 19 14:20 mirror.yandex.ru_debian_dists_sid_main_i18n_Index
19013689 Apr 19 14:04 mirror.yandex.ru_debian_dists_sid_main_i18n_Translation-en
It is available at http://wrar.name/temp/lists1.tar.xz (size about 9 Mb).
The chroot is available at http://wrar.name/temp/broken.cow.tar.xz (size about 50 Mb). It has apt and
libapt-pkg4.12 0.9.1 rebuilt with nostrip and zlib1g 1.2.6.dfsg-2 rebuilt
with noopt. It also has vim-nox, screen, gdb and valgrind installed.
How to reproduce: run gdb, apt-get update, attach to rred process. It segfaults
after download #70. The full apt output can be seen at http://paste.debian.net/166926/
Program received signal SIGSEGV, Segmentation fault.
*__GI___libc_free (mem=0x24883b0) at malloc.c:3709
(gdb) bt
#0 *__GI___libc_free (mem=0x24883b0) at malloc.c:3709
#1 0x00007fc2f0672427 in zcfree (opaque=0x0, ptr=0x24883b0) at zutil.c:295
#2 0x00007fc2f066d953 in inflateEnd (strm=0x243eb08) at inflate.c:1265
#3 0x00007fc2f067439d in gzclose_r (file=0x243ea90) at gzread.c:574
#4 0x00007fc2f0672714 in gzclose (file=0x243ea90) at gzclose.c:21
#5 0x00007fc2f17fbdc6 in FileFd::Close (this=0x7fff4b79f410) at contrib/fileutl.cc:1604
#6 0x0000000000404041 in RredMethod::Fetch (this=0x7fff4b79f8d0, Itm=0x23f1840) at rred.cc:504
#7 0x00007fc2f183907d in pkgAcqMethod::Run (this=0x7fff4b79f8d0, Single=false) at acquire-method.cc:371
#8 0x0000000000402786 in main (argc=<optimized out>, argv=0x7fff4b79fa78) at rred.cc:564
(gdb) p *(char*)mem
Cannot access memory at address 0x24883b0
(gdb) fr 2
#2 0x00007fc2f066d953 in inflateEnd (strm=0x243eb08) at inflate.c:1265
(gdb) p state
$2 = (struct inflate_state *) 0x2404970
(gdb) p *state
$3 = {mode = DONE, last = 1, wrap = 2, havedict = 0, flags = 8, dmax =
32768, check = 2951344167, total = 78748, head = 0x0, wbits = 15, wsize =
32768, whave = 32768, wnext = 13479, window = 0x24883b0 <Address 0x24883b0
out of bounds>, hold = 0, bits = 0, length = 0, offset = 1389, extra = 9,
lencode = 0x2404ec0, distcode = 0x24056f0, lenbits = 9, distbits = 6,
ncode = 14, nlen = 275, ndist = 30, have = 305, next = 0x2405820, lens =
{<SKIPPED>}, work = {<SKIPPED>}, codes = {<SKIPPED>}, sane = 1, back = -1,
was = 4}
(gdb) p strm
$8 = (z_streamp) 0x243eb08
(gdb) p *strm
$9 = { next_in = 0x23f3459, avail_in = 0, total_in = 23049, next_out =
0x248839c <Address 0x248839c out of bounds>, avail_out = 0, total_out =
78748, msg = 0x0, state = 0x2404970, zalloc = 0x7fc2f06723e1 <zcalloc>,
zfree = 0x7fc2f067240b <zcfree>, opaque = 0x0, data_type = 64, adler =
2951344167, reserved = 3616724967606087745}
(gdb) fr 3
#3 0x00007fc2f067439d in gzclose_r (file=0x243ea90) at gzread.c:574
(gdb) p *state
$12 = {x = {have = 0, next = 0x2475000 <Address 0x2475000 out of bounds>,
pos = 78748}, mode = 7247, fd = 4, path = 0x23f0760 "<fd:4>", size = 8192,
want = 8192, in = 0x23f1a50, out = 0x23f3a60, direct = 0, how = 0, start =
0, eof = 1, past = 0, level = -1, strategy = 0, skip = 256, seek = 0, err
= 0, msg = 0x0, strm = { next_in = 0x23f3459, avail_in = 0, total_in =
23049, next_out = 0x248839c <Address 0x248839c out of bounds>, avail_out =
0, total_out = 78748, msg = 0x0, state = 0x2404970, zalloc =
0x7fc2f06723e1 <zcalloc>, zfree = 0x7fc2f067240b <zcfree>, opaque = 0x0,
data_type = 64, adler = 2951344167, reserved = 3616724967606087745}}
(gdb) fr 5
#5 0x00007fc2f17fbdc6 in FileFd::Close (this=0x7fff4b79f410) at
contrib/fileutl.cc:1604
(gdb) p this
$13 = (FileFd * const) 0x7fff4b79f410
(gdb) p *this
$14 = {_vptr.FileFd = 0x6075f0, iFd = 4, Flags = 33, FileName = <C++ness skipped>
"/var/lib/apt/lists/mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.ed",
TemporaryFileName = <C++ness skipped> "", d = 0x243ea00}
(gdb) p this->d
$15 = (FileFdPrivate *) 0x243ea00
(gdb) p *this->d
$16 = {gz = 0x243ea90, bz2 = 0x0, compressed_fd = -1, compressor_pid = -1, pipe
= false, compressor = {Name = <C++ness skipped> "gzip", Extension = <C++ness
skipped> ".gz", Binary = <C++ness skipped> "gzip", CompressArgs = <C++ness skipped>
[], UncompressArgs = <C++ness skipped> [], Cost = 2}, openmode = 1, seekpos = 78748}
This is /var/lib/apt/lists/ at this point:
209595 May 2 08:22 mirror.yandex.ru_debian_dists_sid_InRelease
29004573 Apr 23 14:13 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages
7876 May 2 08:17 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.IndexDiff
23049 Apr 23 20:14 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.ed
2223 Apr 19 14:20 mirror.yandex.ru_debian_dists_sid_main_i18n_Index
19037740 Apr 24 02:14 mirror.yandex.ru_debian_dists_sid_main_i18n_Translation-en
7876 May 2 08:17 mirror.yandex.ru_debian_dists_sid_main_i18n_Translation-en.IndexDiff
214 Apr 24 08:13 mirror.yandex.ru_debian_dists_sid_main_i18n_Translation-en.ed
And /var/lib/apt/lists/partial:
29042561 May 2 08:07 mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.diff_2012-04-23-2011.25.3cJzsH
It is available at http://wrar.name/temp/lists2.tar.xz (size about 15 Mb). Here
mirror.yandex.ru_debian_dists_sid_main_binary-amd64_Packages.ed ==
sid/main/binary-amd64/Packages.diff/2012-04-23-2011.25.gz
So the problem is caused by trying to free(3) Patch.d->gz->strm->state->window
which for the aforementioned file contains garbage or at least already freed
data for some reason.
I've tried to replace rred with a shell wrapper that runs it under valgrind but
then update not only runs without problems, valgrind even doesn't emit any
problems. I've also tried -o Debug::pkgAcquire::RRed=true but it doesn't
segfault either.
--
WBR, wRAR
Attachment:
signature.asc
Description: Digital signature