Description Robin Johnson 2021-10-14 05:01:14 UTC

Found one or maybe two crash bugs in checkpath, after an infra system rebooted. 
The original calls were from /etc/init.d/sks-db, part of net-misc/sks.

minimal reproduction case for crash 1:

rm -rf /var/lib/sks/PTree/
mkdir -p /var/lib/sks/PTree/
/lib64/rc/bin/checkpath  --file  /var/lib/sks/PTree/__db.001 /var/lib/sks/PTree/ptree

Crash output:
malloc(): invalid next size (unsorted)


possibly related crash 2:
# /lib64/rc/bin/checkpath   --file ${SKS_DIR}/*.log ${SKS_DIR}/KDB/* ${SKS_DIR}/PTree/*
checkpath: malloc.c:2539: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Aborted

But I couldn't get a reproduction case for that second crash.
Two interesting files existed:
/var/lib/sks/KDB/* 
/var/lib/sks/PTree/*

Yes, with a '*' as the filename.
When I removed the files, the problem vanished. Recreating them did not reproduce the 2nd issue.

GDB backtrace follows:

gdb> bt full
#0  0x00007fbec7f1263e in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fbec7efc536 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fbec7f53c28 in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fbec7f5b63a in malloc_printerr () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fbec7f5ea5c in _int_malloc () from /lib64/libc.so.6
No symbol table info available.
#5  0x00007fbec7f60027 in malloc () from /lib64/libc.so.6
No symbol table info available.
#6  0x000055d89607a711 in xmalloc (size=0x1000) at ../openrc-0.44.6/src/includes/helpers.h:64
        value = 0x0
#7  0x000055d89607a999 in xasprintf (strp=0x7ffe0eaefe98, fmt=0x55d89607e34e "%s") at ../openrc-0.44.6/src/includes/helpers.h:149
        ap = {{
            gp_offset = 0x8,
            fp_offset = 0x30,
            overflow_arg_area = 0x7ffe0eaefe40,
            reg_save_area = 0x7ffe0eaefd80
          }}
        len = 0x1
        memlen = 0x1000
        ret = 0x2e00220000 <error: Cannot access memory at address 0x2e00220000>
#8  0x000055d89607b100 in do_check (path=0x55d896a5f7c0 "/var/lib/sks/PTree/ptree", uid=0x2710, gid=0x2710, mode=0x0, type=inode_file, trunc=0x0, chowner=0x0, symlinks=0x0, selinux_on=0x0) at ../openrc-0.44.6/src/rc/checkpath.c:204
        st = {
          st_dev = 0x0,
          st_ino = 0x0,
          st_nlink = 0x0,
          st_mode = 0x0,
          st_uid = 0x0,
          st_gid = 0x0,
          __pad0 = 0x0,
          st_rdev = 0x0,
          st_size = 0x0,
          st_blksize = 0x0,
          st_blocks = 0x0,
          st_atim = {
            tv_sec = 0x0,
            tv_nsec = 0x0
          },
          st_mtim = {
            tv_sec = 0x0,
            tv_nsec = 0x0
          },
          st_ctim = {
            tv_sec = 0x0,
            tv_nsec = 0x0
          },
          __glibc_reserved = {0x0, 0x0, 0x0}
        }
        name = 0x0
        dirfd = 0x0
        fd = 0x77
        flags = 0xa0941
        r = 0x7c
        readfd = 0x0
        readflags = 0xa0900
        u = 0x0
#9  0x000055d89607bd72 in main (argc=0x4, argv=0x7ffe0eaf00b8) at ../openrc-0.44.6/src/rc/checkpath.c:441
        opt = 0xffffffff
        uid = 0x2710
        gid = 0x2710
        mode = 0x0
        pw = 0x0
        gr = 0x0
        type = inode_file
        retval = 0x0
        trunc = 0x0
        chowner = 0x0
        symlinks = 0x0
        writable = 0x0
        selinux_on = 0x0
        path = 0x55d896a5f7c0 "/var/lib/sks/PTree/ptree"