Use-after-free on 'opkg install a/foo.ipk b/foo.ipk'

[GoogleCodeExporter]

Version: opkg 0.1.8 (openwrt)

I accidentally had a package by the same name in two different directories, and 
when openwrt was preparing the rootfs (opkg --offline-root --add-dest root:/ 
...), it started giving very strange errors:

Unknown package '@'.
Installing hd-idle (1.04-1) to root...
Configuring hd-idle.
Collected errors:
 * opkg_install_cmd: Cannot install package @.

Turns out it's a user-after-free when 'opkg install' two packages of the same 
name:

$ ls -l $(cat pkgs.txt)
-rw-r--r-- 1 catalinp catalinp 5,183 Jan  9 01:46 
/home/catalinp/src/openwrt/bin/ar71xx/packages/oldpackages/hd-idle_1.04-1_ar71xx
.ipk
-rw-r--r-- 1 catalinp catalinp 5,255 Jan  9 03:05 
/home/catalinp/src/openwrt/bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ip
k

$ IPKG_NO_SCRIPT=1 IPKG_TMP=/home/cat [...] valgrind 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg --offline-root [...] 
install bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ipk 
bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ipk

==2277== Invalid read of size 1
==2277==    at 0x40F063: hash_table_get (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40F546: pkg_vec_fetch_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40FF38: pkg_hash_fetch_installed_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4074C5: opkg_install_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40511B: opkg_install_cmd (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x402E27: main (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==  Address 0x52bba60 is 0 bytes inside a block of size 8 free'd
==2277==    at 0x4C2BDEC: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2277==    by 0x40AC53: pkg_deinit (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4115C3: pkg_vec_insert_merge (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4100A8: hash_insert_pkg (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4059B9: opkg_prepare_url_for_install (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4050DF: opkg_install_cmd (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x402E27: main (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)

Not sure whether this is still an issue in trunk. I am surprised openwrt uses 
such an old opkg version.

To test on a newer opkg I could try:
1) Update openwrt build system to use a newer opkg.. might be tricky, seems 
it's very far behind.
2) Build new opkg outside of openwrt, then try the command again.. would opkg 
trunk be backwards compatible with ipkg built by opkg 0.1.8?

opkg should print an error message, or try to install the pkg twice, but not 
crash or corrupt memory.

Original issue reported on code.google.com by cronos...@gmail.com on 13 Jan 2015 at 6:50

[GoogleCodeExporter]

Please confirm whether this issue still occurs with opkg v0.2.4 or v0.3.0-rc2. 
The package feeds should be compatible so you should be able to compile opkg 
outside openwrt and use that.

I'm currently stepping back from opkg maintenance so I don't have time to look 
further into this myself but if you can confirm this is an issue on the latest 
release or rc I'll see what can be done.

Original comment by paul.betafive on 9 Mar 2015 at 9:21

[GoogleCodeExporter]

I've tried to reproduce this on the master branch by running 'valgrind 
/home/pbarker/work/opkg/src/opkg -o /tmp/opkg  install a1/a_1.0_all.opk 
a2/a_2.0_all.opk'. Valgrind didn't report any errors or use-after-free 
conditions. I think this must have been fixed somewhere between v0.1.8 and 
v0.3.0-rc2.

Please re-open if you find a way to reproduce this on the latest version of 
opkg.

Original comment by paul.betafive on 17 May 2015 at 10:54

• Changed state: Invalid