Your message dated Tue, 22 Dec 2020 19:46:24 -0500
with message-id <3959251.1IzOArtZ34@t450>
and subject line Re: Bug#971643: null pointer dereference with dpkg -V
has caused the Debian Bug report #971643,
regarding null pointer dereference with dpkg -V
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
971643: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971643
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.20.5
Severity: normal
Tags: upstream
X-Debbugs-Cc:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I cannot reproduce this on a Debian binary package. Hardening flags like
FORTIFY_SOURCE may keep this from being an issue. I found this fooling
around with ASan:
$ ./dpkg --admindir='/var/lib/dpkg' -V apt
varbuf.c:99:3: runtime error: null pointer passed as argument 1, which is
declared to never be null
Here's the relevant bit of code with a check to diagnose:
void varbuf_add_buf(struct varbuf *v, const void *s, size_t size)
{
varbuf_grow(v, size);
+ if(v->buf + v->used == NULL) {
+ puts((size == 0) ? "size is zero" : "size is not zero");
+ }
memcpy(v->buf + v->used, s, size);
v->used += size;
}
This prints "size is zero", so maybe that's why this seems harmless:
memcpy() may not do anything and the same may go for adding 'size'.
- -- Package-specific info:
System tainted due to merged-usr-via-symlinks.
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (2, 'unstable'), (1, 'testing-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-3
ii liblzma5 5.2.4-1+b1
ii libselinux1 3.1-2
ii tar 1.30+dfsg-7
ii zlib1g 1:1.2.11.dfsg-2
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 2.1.10
pn debsig-verify <none>
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQT287WtmxUhmhucNnhyvHFIwKstpwUCX3kADwAKCRByvHFIwKst
pwchAQDgoFTpjnnkcHbb6/KKL84JrmXebZR9YAKxmEkZ10Pq6gEAhqyXkMG3AVeq
I0LeSKIgP2NMNPAYXG/AsXynzvc5+wM=
=iKS8
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
The bug title is inaccurate, but it seems this has been fixed in Git already:
commit 52b63137c0a0c9b95ad0b46c1d2ceacfab492297
Author: Guillem Jover <[email protected]>
Date: Sun Aug 2 16:13:20 2020 +0200
libdpkg: Fix undefined behavior in varbuf functions
While varbuf_grow() handles 0 sizes fine, we do a check before calling
it to avoid the duplicate checks.
Reported-by: KOLANICH <[email protected]>
Warned-by: gcc ASAN
lib/dpkg/varbuf.c | 4 ++++
1 file changed, 4 insertions(+)
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
