Bug#1108192: dpkg: segfault in dpkg-trigger

[Guillem Jover]

Control: tags -1 - unreproducible moreinfo + confirmed

Hi!

On Mon, 2025-06-23 at 10:35:46 -0400, Noah Meyerhans wrote:
> It seems that the problem is only triggered if dpkg-trigger is run
> *without* --no-act first. Then a subsequent invocation *with* --no-act
> triggers the ѕegfault.
> 
> It does not seem specific to any of the packages or triggers that I was
> working on, and can be reproduced with an arbitrary trigger.
> 
> See the attached script for a simple repro using docker containers.  Let
> me know if you still have trouble reproducing it and I can get you a
> core file.
> 
> Stack trace looks like:
> (gdb) bt                                                                      
>                                                
> #0  0x00007fbca6df0d8a in __vfprintf_internal (s=0x0, 
> format=format@entry=0x55d0872763ac "%s", ap=ap@entry=0x7fff25f83660,
>     mode_flags=mode_flags@entry=2) at ./stdio-common/vfprintf-internal.c:1525
> #1  0x00007fbca6ea8fb6 in ___vfprintf_chk (fp=<optimized out>, 
> flag=flag@entry=1, format=format@entry=0x55d0872763ac "%s",
>     ap=ap@entry=0x7fff25f83660) at ./debug/vfprintf_chk.c:29
> #2  0x000055d087270abc in vfprintf (__stream=<optimized out>, 
> __fmt=<optimized out>, __ap=0x7fff25f83660)
>     at /usr/include/x86_64-linux-gnu/bits/stdio2.h:166
> #3  trigdef_update_printf (format=format@entry=0x55d0872763ac "%s") at 
> ../../../lib/dpkg/trigdeferred.c:157
> #4  0x000055d08726acfe in tdm_add_trig_begin (trig=0x7fff25f83750 
> "sa-compile-upgrade") at ../../src/trigger/main.c:146
> #5  0x000055d087270bb5 in trigdef_parse () at 
> ../../../lib/dpkg/trigdeferred.c:211
> #6  0x000055d08726a995 in do_trigger (argv=<optimized out>) at 
> ../../src/trigger/main.c:201
> #7  0x000055d08726a6c8 in main (argc=<optimized out>, argv=<optimized out>) 
> at ../../src/trigger/main.c:265

Thanks! This was very helpful. I've been able to reproduce this now,
and I've very quickly prepared a tentative patch, which I've not yet
tested, and not analyzed whether there might be a better fix or some
other lingering issues (will do that later today).

The problem is that when we are passing --no-act then the file
descriptor for the triggers file is NULL, so the print segfaults,
which we should not even be attempting to do in the first place.

Thanks,
Guillem

diff --git i/lib/dpkg/trigdeferred.c w/lib/dpkg/trigdeferred.c
index ae31d6285..e04c673d4 100644
--- i/lib/dpkg/trigdeferred.c
+++ w/lib/dpkg/trigdeferred.c
@@ -153,6 +153,9 @@ trigdef_update_printf(const char *format, ...)
 {
 	va_list ap;
 
+	if (trig_new_deferred == NULL)
+		return;
+
 	va_start(ap, format);
 	vfprintf(trig_new_deferred, format, ap);
 	va_end(ap);