[Pkg-rust-maintainers] Bug#918854: Bug#918854: segfault updating crates.io index

Ximin Luo infinity0 at debian.org
Sun May 19 04:03:00 BST 2019 

Control: reassign -1 libgit2 0.27.7+dfsg.1-0.1

I figured out the problem and have a bug fix on the way. The problem is in libgit2 not cargo.

Actually libgit2 has a shit ton of holes. The fix for this particular bug is cherry-picked from here:

https://github.com/libgit2/libgit2/commits/master/src/transports/smart.c

but just looking at that log, there are lots of other potential segfaults that are in version 0.27.

Happy exploit-finding.

X

Antoine Beaupre:
> Package: cargo
> Version: 0.33.0-1
> Followup-For: Bug #918854
> 
> I'm seeing the same thing in buster right now. It's intermittent, and
> the build eventually finishes if retried.
> 
> It's especially annoying when building Docker containers, which do not
> afford the luxury of retries. A reliable way to trigger it is to set
> the `http_proxy` environment (even if to the empty string).
> 
> The following Dockerfile (when ran inside
> https://gitlab.com/sequoia-pgp/sequoia) reproduces this reliably for
> me:
> 
> # we do not use the rust image because it's based on Debian stretch
> # where nettle and rustc are too old
> FROM debian:buster AS build
> 
> COPY . /home/builder/sequoia
> 
> # create a sandbox user for the build (in ~builder) and install (in /opt)
> # give it permissions to the build dir and home
> # upgrade everything
> # add dependencies, as specified by the Sequoia README.md file
> RUN groupadd -r builder && \
>     useradd --no-log-init -r -g builder builder && \
>     chown -R builder:builder /home/builder /opt && \
>     apt update && apt upgrade -yy && \
>     apt install -y --no-install-recommends \
>         ca-certificates \
>         capnproto \
>         cargo \
>         clang \
>         git \
>         libsqlite3-dev \
>         libssl-dev \
>         make \
>         nettle-dev \
>         pkg-config \
>         python3-dev \
>         python3-setuptools \
>         python3-cffi \
>         python3-pytest \
>         rustc
> 
> # switch to the sandbox user
> USER builder
> 
> RUN make -C /home/builder/sequoia
> 
> I since then changed the dockerfile to build the project three times
> in an attempt to work around the issue, which more or less works
> reliably. Here are two segfaults that were triggered in the last
> build:
> 
> mai 16 18:12:28 curie kernel: cargo[25318] segfault at 50000562b ip 000000050000562b sp 00007fff0d0e8678 error 14 in cargo[562b40957000+5c000] 
> mai 16 18:12:28 curie kernel: Code: Bad RIP value. 
> mai 16 18:12:33 curie kernel: cargo[25346] segfault at 60228 ip 00007f87ec5ba407 sp 00007ffdc3227c90 error 4 in libcurl-gnutls.so.4.5.0[7f87ec572000+61000] 
> mai 16 18:12:33 curie kernel: Code: 48 39 c2 75 10 48 8b 87 d8 16 00 00 48 39 87 c0 0f 00 00 74 26 48 8d 6c 24 0c 48 89 ee e8 31 ff ff ff 31 f6 48 89 e9 48 89 df <41> 8b 94 24 28 02 00 00 e8 8c 81 fb ff 85 c0 75 08 48 89 df e8 e0 
> 
> This command is a reliable reproducer:
> 
>     env http_proxy= cargo build
> 
> mai 16 18:16:12 curie kernel: cargo[499] segfault at 0 ip 00007f9d47cb8181 sp 00007ffe8d0dbd58 error 4 in libc-2.28.so[7f9d47b7e000+148000] 
> mai 16 18:16:12 curie kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1 
> 
> ... but could be unrelated.
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages cargo depends on:
> ii  binutils              2.31.1-16
> ii  clang                 1:7.0-47
> ii  clang-7 [c-compiler]  1:7.0.1-8
> ii  gcc                   4:8.3.0-1
> ii  gcc-8 [c-compiler]    8.3.0-6
> ii  libc6                 2.28-10
> ii  libcurl3-gnutls       7.64.0-2
> ii  libgcc1               1:8.3.0-6
> ii  libgit2-27            0.27.7+dfsg.1-0.1
> ii  libssh2-1             1.8.0-2.1
> ii  libssl1.1             1.1.1b-2
> ii  rustc                 1.32.0+dfsg1-3
> ii  zlib1g                1:1.2.11.dfsg-1
> 
> cargo recommends no packages.
> 
> Versions of packages cargo suggests:
> pn  cargo-doc  <none>
> ii  python3    3.7.2-1
> 
> -- debconf-show failed
> 
> _______________________________________________
> Pkg-rust-maintainers mailing list
> Pkg-rust-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers
> 


-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

More information about the Pkg-rust-maintainers mailing list