segfault installing packages (in very strange edge cases)

[achilleas-k]

Hi all!

I'm getting segfaults from rpm when installing packages in osbuild. The set of circumstances that cause the segfault are very strange and very sensitive to changes, so I might be giving a lot of useless information here.

The issue happens with rpm 4.16.1.3 on CentOS Stream 9. I haven't managed to reproduce it on other distros or distro versions, even with the same packages, though some package versions might differ. It also seems to be sensitive to the following:

• Order of packages to be installed
• Specific package set to be installed: adding or removing packages can change whether the segfault happens or not
• Duplicating packages: having duplicates in the package list seems to cause it, while deduplicating the list fixes it
• Excluding docs

I managed to get a backtrace, though I haven't managed to reproduce it in an interactive environment so I haven't managed to look around. Here's the bt:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f7b226 in hex2bin (h=h@entry=0x555555625dc0, tag=tag@entry=5090, num=num@entry=801, len=224) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmfi.c:1505
1505                    *t = (rnibble(s[0]) << 4) | rnibble(s[1]);
#0  0x00007ffff7f7b226 in hex2bin (h=h@entry=0x555555625dc0, tag=tag@entry=5090, num=num@entry=801, len=224) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmfi.c:1505
#1  0x00007ffff7f7bc2f in rpmfilesPopulate (flags=65538, h=0x555555625dc0, fi=0x555555633e80) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmfi.c:1580
#2  rpmfilesNew (pool=0x5555555c8db0, h=0x555555625dc0, tagN=<optimized out>, flags=65538) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmfi.c:1642
#3  0x00007ffff7f834d1 in addTE (p=0x555555625c30, h=0x555555625dc0, key=0x55555561ef50, relocs=<optimized out>) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmte.c:188
#4  0x00007ffff7f66da6 in rpmteNew (addop=0, relocs=0x0, key=0x55555561ef50, type=TR_ADDED, h=0x555555625dc0, ts=0x55555555fb40) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpmte.c:258
#5  addPackage (ts=0x55555555fb40, h=0x555555625dc0, key=0x55555561ef50, op=<optimized out>, relocs=0x0) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/depends.c:422
#6  0x00007ffff7f8b567 in rpmInstall (ts=<optimized out>, ia=<optimized out>, fileArgv=<optimized out>) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/lib/rpminstall.c:599
#7  0x0000555555556b9c in main (argc=8, argv=<optimized out>) at /usr/src/debug/rpm-4.16.1.3-7.el9.x86_64/rpm.c:265

If you'd like to reproduce it, install osbuild (version 40 or newer, for CS9 support) and run the attached manifest as root:

osbuild --checkpoint build rpm-segfault.txt

The manifest is in JSON but I renamed it to TXT to attach it to the issue.
The --checkpoint build flag will save a checkpoint of the first part of the build so repeated runs will be faster. By default these are saved in .osbuild in the current working directory, but you can change that with the --store option.

I've been trying to pinpoint the cause for a couple of days now and it's making less sense the more I look at it.

Let me know if there's any more information you need or if I can help in any way.

rpm-segfault.txt

[mlschroe]

What's very suspicious is the "len=224" argument. It's supposed to be the digest length in bytes.

[pmatilai]

That'd be IMA signatures, which are a new thing in CS9. Probably this issue:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2018937

[mlschroe]

The code in rpmsignfiles.c should at least check if the signature sizes match and not just use the size of the last signature...

Anyway, the sizes are implicit through the string array, so we can simply ignore the RPMTAG_FILESIGNATURELENGTH from the header and do the right thing in the implementation.

We can make fi->signaturelen an array, add fi->maxsignaturelen and add a new hex2bin variant that first calculates the max signature size, puts in in fi->maxsignaturelen and then converts the individual entries populating fi->signaturelen.

[mlschroe]

Basically like the veritysigs implementation... I didn't know about those.

[pmatilai]

Yup. Keeping the hex-encoded strings as such in memory (as done in the rough patch in bugzilla) is would be a terrible waste of memory.

[pmatilai]

...on a related note, we should only bother with keeping this stuff in memory if IMA plugin is loaded, it's a non-trivial amount of memory even in binary form for which we have absolutely zero use if they don't get used. Ditto with fsverity.

[DemiMarie]

Is this an exploitable vulnerability? This also shows why IMA and fsverity signatures belong in the main header, where they cannot be tampered with.

[achilleas-k]

What's the situation with this? Is there anything I can do to work around it consistently?

Never mind, I see there's an update on the RHBZ.

[pmatilai]

To work around, one of the following should do:

• rpm -e rpm-plugin-ima
• echo "%__transaction_ima %{nil}" > /etc/rpm/macros.ima