Bug 13701 - file crashes with segmentation fault
Summary: file crashes with segmentation fault
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 13667
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-07 23:50 CEST by Zoltan Balaton
Modified: 2014-08-05 23:03 CEST (History)
1 user (show)

See Also:
Source RPM: file-5.12-8.5.mga3.src.rpm
CVE:
Status comment:

Attachments
rediffed version of the patch from the above comment that also applies (687 bytes, patch)
2014-07-09 17:12 CEST, Zoltan Balaton 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Zoltan Balaton 2014-07-07 23:50:30 CEST 
I've seen crashes of the file command with SIGSEGV when examining some files. See back traces below. I've also tested the same files on mga4 and with latest version from git but those do not crash so only mga3 is affected. Unfortunately I cannot give you the files to reproduce this. (May be related to #13667 but I don't think so reading the description of that bug.)

#0  0x00007ffff788cdac in free () from /lib64/libc.so.6
#1  0x00007ffff7bcc105 in mget (ms=ms@entry=0x6066b0, s=s@entry=0x7ffff7f5d010 "\312\376\272\276", m=m@entry=0x7ffff75f5ff8, nbytes=nbytes@entry=262144, o=o@entry=8, cont_level=cont_level@entry=1, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=2, returnval=returnval@entry=0x7fffffffdcac) at softmagic.c:1723
#2  0x00007ffff7bcd504 in match (ms=ms@entry=0x6066b0, magic=0x7ffff75f5178, nmagic=18, s=s@entry=0x7ffff7f5d010 "\312\376\272\276", nbytes=nbytes@entry=262144, offset=offset@entry=8, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=1, returnval=returnval@entry=0x7fffffffdcac) at softmagic.c:236
#3  0x00007ffff7bcbf5d in mget (ms=ms@entry=0x6066b0, s=s@entry=0x7ffff7f5d010 "\312\376\272\276", m=m@entry=0x7ffff7479170, nbytes=nbytes@entry=262144, o=o@entry=0, cont_level=cont_level@entry=3, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=1, returnval=returnval@entry=0x7fffffffdcac) at softmagic.c:1739
#4  0x00007ffff7bcd504 in match (ms=ms@entry=0x6066b0, magic=0x7ffff73b50e8, nmagic=9819, s=s@entry=0x7ffff7f5d010 "\312\376\272\276", nbytes=nbytes@entry=262144, offset=offset@entry=0, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=0, returnval=0x7fffffffdcac, returnval@entry=0x0) at softmagic.c:236
#5  0x00007ffff7bcbc31 in file_softmagic (ms=ms@entry=0x6066b0, buf=buf@entry=0x7ffff7f5d010 "\312\376\272\276", nbytes=nbytes@entry=262144, level=level@entry=0, mode=mode@entry=32, text=text@entry=0) at softmagic.c:76
#6  0x00007ffff7bd2ec0 in file_buffer (ms=ms@entry=0x6066b0, fd=fd@entry=7, inname=inname@entry=0x7fffffffe3eb "...", buf=buf@entry=0x7ffff7f5d010, nb=262144) at funcs.c:231
#7  0x00007ffff7bc591f in file_or_fd (ms=ms@entry=0x6066b0, inname=inname@entry=0x7fffffffe3eb "...", fd=7, fd@entry=0) at magic.c:424
#8  0x00007ffff7bc5c7c in magic_file (ms=ms@entry=0x6066b0, inname=inname@entry=0x7fffffffe3eb "...") at magic.c:335
#9  0x0000000000402098 in process (ms=ms@entry=0x6066b0, inname=<optimized out>, wid=wid@entry=11) at file.c:430
#10 0x0000000000401ab1 in main (argc=2, argv=0x7fffffffe088) at file.c:338


#0  0x00007ffff788964a in malloc_consolidate () from /lib64/libc.so.6
#1  0x00007ffff788a7ad in _int_malloc () from /lib64/libc.so.6
#2  0x00007ffff788d4ad in calloc () from /lib64/libc.so.6
#3  0x00007ffff78300ce in build_trtable () from /lib64/libc.so.6
#4  0x00007ffff78e2794 in re_search_internal () from /lib64/libc.so.6
#5  0x00007ffff78e33e5 in regexec@@GLIBC_2.3.4 () from /lib64/libc.so.6
#6  0x00007ffff7bcb60a in magiccheck (ms=ms@entry=0x6066b0, m=m@entry=0x7ffff75bf3a0) at softmagic.c:2017
#7  0x00007ffff7bcd3c6 in match (ms=ms@entry=0x6066b0, magic=0x7ffff73b50e8, nmagic=9819, s=s@entry=0x7ffff7f60010 "", nbytes=nbytes@entry=249856,  offset=offset@entry=0, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=1,  returnval=0x7fffffffdaac, returnval@entry=0x0) at softmagic.c:161
#8  0x00007ffff7bcbc31 in file_softmagic (ms=ms@entry=0x6066b0, buf=buf@entry=0x7ffff7f60010 "", nbytes=nbytes@entry=249856, level=level@entry=1, mode=mode@entry=32, text=text@entry=0) at softmagic.c:76
#9  0x00007ffff7bcc0e1 in mget (ms=ms@entry=0x6066b0, s=s@entry=0x7ffff7f5d010 "ER\b", m=m@entry=0x7ffff75620d8, nbytes=nbytes@entry=262144, o=o@entry=0, cont_level=cont_level@entry=2, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=1, returnval=returnval@entry=0x7fffffffdcac) at softmagic.c:1705
#10 0x00007ffff7bcd504 in match (ms=ms@entry=0x6066b0, magic=0x7ffff73b50e8, nmagic=9819, s=s@entry=0x7ffff7f5d010 "ER\b", nbytes=nbytes@entry=262144, offset=offset@entry=0, mode=mode@entry=32, text=text@entry=0, flip=flip@entry=0, recursion_level=recursion_level@entry=0, returnval=0x7fffffffdcac, returnval@entry=0x0) at softmagic.c:236
#11 0x00007ffff7bcbc31 in file_softmagic (ms=ms@entry=0x6066b0, buf=buf@entry=0x7ffff7f5d010 "ER\b", nbytes=nbytes@entry=262144, level=level@entry=0, mode=mode@entry=32, text=text@entry=0) at softmagic.c:76
#12 0x00007ffff7bd2ec0 in file_buffer (ms=ms@entry=0x6066b0, fd=fd@entry=7, inname=inname@entry=0x7fffffffe3e2 "...", buf=buf@entry=0x7ffff7f5d010, nb=262144) at funcs.c:231
#13 0x00007ffff7bc591f in file_or_fd (ms=ms@entry=0x6066b0, inname=inname@entry=0x7fffffffe3e2 "...", fd=7, fd@entry=0) at magic.c:424
#14 0x00007ffff7bc5c7c in magic_file (ms=ms@entry=0x6066b0, inname=inname@entry=0x7fffffffe3e2 "...") at magic.c:335
#15 0x0000000000402098 in process (ms=ms@entry=0x6066b0, inname=<optimized out>, wid=wid@entry=20) at file.c:430
#16 0x0000000000401ab1 in main (argc=2, argv=0x7fffffffe088) at file.c:338


Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-07-08 16:11:33 CEST 
Thanks for the report.  If you can find the commit between file 5.12 and file 5.16 that fixes this, please let us know.  (you can try browsing the git logs for an obvious candidate or do a git bisect)

CC: (none) => luigiwalser
Severity: critical => normal

Comment 2 Zoltan Balaton 2014-07-08 23:46:15 CEST 
I've tried to bisect it but 5.12 from git did not crash. (It gave an error though.) It must be one of the patches then so I've tried to apply them one by one. It looks like the first crash happens after file-5.12-leak_fix.patch. I've stopped there because I think it would be easier to upgrade this package to a newer version which does not have buggy patches (say the same version mga4 has) than trying to find what's wrong with the 21 patches we have now.
Comment 3 David Walser 2014-07-09 00:19:35 CEST 
Well there's only a few patches after leak_fix, and only one touches softmagic.c.

The leak_fix patch definitely does look incorrect (error in backporting).  I believe the correct version would be:
From c0c0032b9e9eb57b91fefef905a3b018bab492d9 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Fri, 21 Feb 2014 14:32:48 +0000
Subject: [PATCH] Fix memory leak (Anatol Belski)

---
 src/softmagic.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/softmagic.c b/src/softmagic.c
index 799e55c..170de95 100644
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -1702,10 +1702,14 @@ mget(struct magic_set *ms, const unsigne
 			rbuf = ms->o.buf;
 			ms->o.buf = sbuf;
 			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
-			    file_printf(ms, m->desc, offset) == -1)
+			    file_printf(ms, m->desc, offset) == -1) {
+				free(rbuf);
 				return -1;
-			if (file_printf(ms, "%s", rbuf) == -1)
+			}
+			if (file_printf(ms, "%s", rbuf) == -1) {
+				free(rbuf);
 				return -1;
+			}
 			free(rbuf);
 		} else
 			ms->o.buf = sbuf;
-- 
1.8.5.5


As for updating to a newer file version, given all the fun that caused in Cauldron during Mageia 4 development, that absolutely will not be happening.  So we'll just have to fix this.  I think the corrected patch I posted above should fix your first backtrace.  Can you confirm?  How about your second?
Comment 4 Zoltan Balaton 2014-07-09 17:12:04 CEST 
Created attachment 5274 [details]
rediffed version of the patch from the above comment that also applies

The patch did not apply as is but the attached rediffed version seems to fix the first crash. I could not reproduce the second one now either with or without the patch. (I don't have the exact file that caused the second crash any more.)
Comment 5 David Walser 2014-07-09 17:18:51 CEST 
(In reply to Zoltan Balaton from comment #4)
> Created attachment 5274 [details]
> rediffed version of the patch from the above comment that also applies
> 
> The patch did not apply as is but the attached rediffed version seems to fix
> the first crash. I could not reproduce the second one now either with or
> without the patch. (I don't have the exact file that caused the second crash
> any more.)

Yep, probably a spaces/tabs issue when trying to extract the patch from my comment.  Thanks again for the report!  This fix will be included in the next update.

Hardware: x86_64 => All
Depends on: (none) => 13667

Comment 6 Manuel Hiebel 2014-08-05 23:03:33 CEST 
pushed

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.