Package: fakeroot Version: 1.38-1 I ran into a segfault from cp -pR, under fakeroot, with files that have extended attributes. The sequence of events is as follows:
* cp (either directly or via a lib) attempts a fchownat, which fails with errno set to EPERM (1) * the fakeroot wrapper hides the return value but keeps errno (This is legal) * cp calls down into attr_copy_fd from libattr * attr_copy_fd attempts to flistxattr on a NULL buffer of size 0, this returns 33 (size of buffer) and leaves errno unchanged (still EPERM) * the fakeroot wrapper catches the stale EPERM, clears errno, and returns 0 to indicate an empty xattr (which is incorrect) * attr_copy_fd does not have any special handling for returned size of 0, so it continues and allocates a 1 byte buffer (size+1) * attr_copy_fd then attempts to flistxattr on the 1 byte buffer with size 0. This successfully returns 33 again, as is correct when size is 0. * fakeroot correctly forwards the successful call now that errno is 0 * attr_copy_fd overwrites it's size variable with the new result (33), and reads well past the allocated buffer into a segfault. (It also skips over it's end pointer and reads much more than 33 bytes, but that's another issue) This appears to have been inadvertently introduced by changes in #1136815. Some of the introduced !r checks probably need to be changed to r > 0 to allow positive return values to be returned unmodified. I'd also like to note that it's *not* legal for syscalls to clear errno, which may now happen if you have a pre-set errno coming into a modified syscall, but I've not run into any issues tied to it. I am using Arch Linux which is downstream from this package, but not currently running any patches
