Recent version of rpmbuild have a small chance of crashing with a double-free.
Typical crash:
```
Wrote: /__w/courier-libs/courier-libs/courier-authlib/rpm/RPMS/x86_64/courier-
authlib-userdb-debuginfo-0.72.0.20231223-101.fc39.x86_64.rpm
Wrote: /__w/courier-libs/courier-libs/courier-authlib/rpm/RPMS/x86_64/courier-
authlib-devel-0.72.0.20231223-101.fc39.x86_64.rpm
double free or corruption (fasttop)
```
I was able to extract a backtrace:
```
#7 0x00007f05dd8b93de in __GI___libc_free (mem=0x7f05500df0e0)
at malloc.c:3391
#8 0x00007f05dda984ec in rpmugUid (thisUname=0x563c250203a4 "daemon",
uid=0x7f05cbbf790c)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmug.c:148
#9 0x00007f05dda84255 in rpmfilesStat (fi=0x563c250b57f0, ix=3,
flags=flags@entry=0, sb=sb@entry=0x7f05cbbf78f0)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:824
#10 0x00007f05dda8438f in rpmfiStat (fi=fi@entry=0x7f04d0057420,
--Type <RET> for more, q to quit, c to continue without paging--
flags=flags@entry=0, sb=sb@entry=0x7f05cbbf78f0)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:1992
#11 0x00007f05dda84444 in rpmfiArchiveWriteHeader (fi=fi@entry=0x7f04d0057420)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:2078
#12 0x00007f05dda871c9 in iterWriteArchiveNextFile (fi=0x7f04d0057420)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:2158
#13 iterWriteArchiveNext (fi=0x7f04d0057420)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:2171
#14 0x00007f05dda811ce in rpmfiNext (fi=<optimized out>)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:873
#15 rpmfiNext (fi=fi@entry=0x7f04d0057420)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/lib/rpmfi.c:868
#16 0x00007f05ddad660c in rpmPackageFilesArchive (isSrc=<optimized out>,
failedFile=<synthetic pointer>, archiveSize=<synthetic pointer>,
dpaths=0x563c2467b490, cfd=0x7f04d00574f0, fi=<optimized out>)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/build/pack.c:32
#17 cpio_doio (pldig=0x7f05cbbf7aa8, archiveSize=<synthetic pointer>,
pld_algo=<optimized out>, fmodeMacro=0x7f04d0774090 "w19.zstdio",
pkg=0x563c244154e0, fdo=0x7f04d0061f00)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/build/pack.c:86
#18 writeRPM (pkg=0x563c244154e0, pkgidp=0x0,
fileName=0x7f04d0774010
"/home/mrsam/src/courier.git/courier-authlib/rpm/RPMS/x86_64/courier-authlib-ldap-0.72.0-114.fc39.x86_64.rpm",
--Type <RET> for more, q to quit, c to continue without paging--
cookie=<optimized out>, buildTime=<optimized out>,
buildHost=<optimized out>)
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/build/pack.c:523
#19 0x00007f05ddadbdfb in packageBinaries._omp_fn.1 ()
at /usr/src/debug/rpm-4.19.0-1.fc39.x86_64/build/pack.c:721
#20 0x00007f05dd6aa759 in gomp_barrier_handle_tasks (state=state@entry=272)
at ../../../libgomp/task.c:1650
#21 0x00007f05dd6b39e0 in gomp_team_barrier_wait_end (bar=0x563c245c3780,
state=272) at ../../../libgomp/config/linux/bar.c:116
#22 0x00007f05dd6b0d7e in gomp_thread_start (xdata=<optimized out>)
at ../../../libgomp/team.c:129
#23 0x00007f05dd8a8897 in start_thread (arg=<optimized out>)
at pthread_create.c:444
#24 0x00007f05dd92f6fc in clone3 ()
```
I believe that the ball starts rolling in the
```
#pragma omp parallel
```
in `packageBinaries`, see stack frame #19.
It keeps rolling downhill into rpmug.c (stack frame #8), which is very, very
much thread-unsafe. Boom.
All usage of `static` variables in `rpmug.c` is thread-unsafe.
It should be possible to reliably reproduce this crash by sticking, say, `sleep
(1);` just before `free(lastUname);` on line 148, and then building an srpm
that packages a bunch of binaryrpms.\
textlive will do nicely...
rpmuguid() is not thread safe.
rpmuggid() is not thread safe.
rpmugUname() is not thread safe.
rpmugGname() is not thread safe.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2826
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
