Closed carlosb1 closed 1 year ago
tarcieri
commented
2 years ago I'm guessing this is something with libgit2.
The best way to help debug this would be to launch cargo audit under gdb or lldb and obtaining a backtrace (e.g. bt) so we can see where it's occurring
valkum
commented
2 years ago This is my backtrace from using cargo-deny which uses rustsec's Repository::fetch Installed: libgit2: 1:1.2.0-1 (from arch) which should be libgit2.so version 1.2-64 openssl 1.1.1.l-1
It works if I install cargo-deny with the --locked argument. So probably something broke between the locked versions and newer versions I guess.
#0 0x00007ffff7ad62c3 in SSL_get_peer_certificate () from /usr/lib/libssl.so.1.1
#1 0x00007ffff7f42db5 in ?? () from /usr/lib/libgit2.so.1.2
#2 0x00007ffff7f5034f in ?? () from /usr/lib/libgit2.so.1.2
#3 0x00007ffff7f51eab in ?? () from /usr/lib/libgit2.so.1.2
#4 0x00007ffff7f4fe3c in ?? () from /usr/lib/libgit2.so.1.2
#5 0x00007ffff7f542d6 in ?? () from /usr/lib/libgit2.so.1.2
#6 0x00007ffff7f56739 in ?? () from /usr/lib/libgit2.so.1.2
#7 0x00007ffff7f54a8c in ?? () from /usr/lib/libgit2.so.1.2
#8 0x00007ffff7f2dd87 in ?? () from /usr/lib/libgit2.so.1.2
#9 0x00007ffff7f2f4f5 in git_remote_fetch () from /usr/lib/libgit2.so.1.2
#10 0x000055555584b213 in rustsec::repository::git::repository::Repository::fetch::{{closure}} ()
#11 0x000055555584bdfb in rustsec::repository::git::authentication::with_authentication ()
#12 0x00005555557fdecf in rustsec::repository::git::repository::Repository::fetch ()
#13 0x00005555557df981 in cargo_deny::advisories::helpers::load_db ()
#14 0x00005555557a6e81 in core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &mut F>::call_once ()
#15 0x000055555577c561 in rayon::iter::plumbing::Folder::consume_iter ()
#16 0x000055555577c15a in rayon::iter::plumbing::bridge_producer_consumer::helper ()
#17 0x00005555557aa5e7 in <rayon::vec::IntoIter<T> as rayon::iter::IndexedParallelIterator>::with_producer ()
#18 0x0000555555792999 in rayon::iter::collect::collect_into_vec ()
#19 0x00005555557a6571 in cargo_deny::advisories::helpers::DbSet::load ()
#20 0x00005555557ac92f in <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once ()
#21 0x000055555571e6d1 in _$LT$rayon_core..job..HeapJob$LT$BODY$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h43ccda76ccdab8e4 ()
#22 0x0000555555692cc1 in rayon_core::registry::WorkerThread::wait_until_cold ()
#23 0x0000555555788dd8 in rayon_core::scope::ScopeBase::complete ()
#24 0x00005555557ab9bc in <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once ()
#25 0x000055555571f587 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h3935c14f3e7d9778 ()
#26 0x0000555555692cc1 in rayon_core::registry::WorkerThread::wait_until_cold ()
#27 0x00005555559c7c0d in rayon_core::registry::ThreadBuilder::run ()
#28 0x00005555559c95a5 in std::sys_common::backtrace::__rust_begin_short_backtrace ()
#29 0x00005555559c50bb in core::ops::function::FnOnce::call_once{{vtable.shim}} ()
#30 0x0000555555d90527 in alloc::boxed::{impl#44}::call_once<(), dyn core::ops::function::FnOnce<(), Output=()>, alloc::alloc::Global> ()
at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/alloc/src/boxed.rs:1572
#31 alloc::boxed::{impl#44}::call_once<(), alloc::boxed::Box<dyn core::ops::function::FnOnce<(), Output=()>, alloc::alloc::Global>, alloc::alloc::Global> () at /rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/alloc/src/boxed.rs:1572
#32 std::sys::unix::thread::{impl#2}::new::thread_start () at library/std/src/sys/unix/thread.rs:74
#33 0x00007ffff7e54259 in start_thread () from /usr/lib/libpthread.so.0
#34 0x00007ffff7c325e3 in clone () from /usr/lib/libc.so.6@valkum what's the actual problem there? SIGSEGV?
Have you tried the vendored-libgit2 option?
If the issue persists after that, please consider filing an issue against the git2 crate.
Yuri6037
commented
2 years ago I've just come across the same issue running a custom docker image based on alpine.
I've also got similar issues in the past trying to run my crates which attempts to dynamically link against some system libs under aarch64 PMOS (Postmarket OS). It turned out somehow rust musl targets don't play nicely with dynamic linking out of the box because rust assumes that musl targets are static. To fix the problem I've added a configuration option to force rust to dynamically link.
EDIT: I found the flag I've used: -C target-feature=-crt-static
Jake-Shadle
commented
2 years ago More details in this issue https://github.com/EmbarkStudios/cargo-deny/issues/380
proudmuslim-dev
commented
2 years ago Can reproduce on Arch
PID: 801223 (cargo-audit)
UID: 1000 (twilight)
GID: 1000 (twilight)
Signal: 11 (SEGV)
Timestamp: Fri 2022-03-18 13:48:52 PDT (2min 11s ago)
Command Line: /home/twilight/.cargo/bin/cargo-audit audit
Executable: /home/twilight/.cargo/bin/cargo-audit
Control Group: /user.slice/user-1000.slice/session-1.scope
Unit: session-1.scope
Slice: user-1000.slice
Session: 1
Owner UID: 1000 (twilight)
Boot ID: 261dce6593d54092b9323bf2e7b4c6dd
Machine ID: 77a43c6567e14cf68645a6699ba60b01
Hostname: andromeda
Storage: /var/lib/systemd/coredump/core.cargo-audit.1000.261dce6593d54092b9323bf2e7b4c6dd.801223.1647636532000000.zst (present)
Disk Size: 5.7M
Message: Process 801223 (cargo-audit) of user 1000 dumped core.
Module /home/twilight/.cargo/bin/cargo-audit with build-id 28506b73f12568aaca7cafc8cf2ab1c0f00fae12
Module linux-vdso.so.1 with build-id 9d7d4d926c59683413fc723b3ac6d532410b7dd0
Module libpthread.so.0 with build-id 7fa8b52fae071a370ba4ca32bf9490a30aff31c4
Module libz.so.1 with build-id 0c1459c56513efd5d53eb3868290e9afee6a6a26
Module libssh2.so.1 with build-id a4adfe44cc7ebd295b3b783361acc3dcfcea1d50
Module libpcre.so.1 with build-id 845483dd0acba86de9f0313102bebbaf3ce52767
Module libhttp_parser.so.2.9 with build-id a7b44d494c1e52a62efd933ab2f7b37dae9482e1
Module ld-linux-x86-64.so.2 with build-id c09c6f50f6bcec73c64a0b4be77eadb8f7202410
Module libc.so.6 with build-id 85766e9d8458b16e9c7ce6e07c712c02b8471dbc
Module libm.so.6 with build-id 596b63a006a4386dcab30912d2b54a7a61827b07
Module libgcc_s.so.1 with build-id 5d817452a709ca3a213341555ddcf446ecee37fa
Module libcrypto.so.1.1 with build-id f94a24f9ce8f3f394c3df23f7d436796797d4459
Module libssl.so.1.1 with build-id 54f796076979dc9b6ff9ac3c39e250db86652924
Module libgit2.so.1.4 with build-id c0d036dddc2044070404f7ae5e65b4464588f4ca
Stack trace of thread 801223:
#0 0x00007f80978a7fc0 n/a (libgit2.so.1.4 + 0xa3fc0)
#1 0x00007f80978a9aae git_remote_fetch (libgit2.so.1.4 + 0xa5aae)
#2 0x000055731dce678d n/a (/home/twilight/.cargo/bin/cargo-audit + 0xb478d)
#3 0x0000000000000001 n/a (n/a + 0x0)
ELF object binary architecture: AMD x86-64
mpizenberg
commented
2 years ago I'm facing the same issue on Archlinux.
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 404 security advisories (from /home/matthieu/.cargo/advisory-db)
Updating crates.io index
fish: Job 1, 'cargo audit' terminated by signal SIGSEGV (Address boundary error)Can people posting error reports here please also confirm whether or not you have the vendored-libgit2 cargo feature enabled?
mpizenberg
commented
2 years ago Can people posting error reports here please also confirm whether or not you have the vendored-libgit2 cargo feature enabled?
Sorry @tarcieri where should I check that? I just installed with cargo install cargo-audit and then tried to run cargo audit. I didn't modify anything about the package or tried to compile from source by cloning myself the package.
tarcieri
commented
2 years ago Try:
$ cargo install cargo-audit --features vendored-libgit2If that fixes the issue, perhaps we should just enable it by default.
mpizenberg
commented
2 years ago @tarcieri I can confirm that with the vendored feature, it does not crash for me (archlinux). Thanks for the info!
kidsil
commented
2 years ago Still happens with Alpine Linux even when running with
cargo install cargo-audit --features vendored-libgit2
mantono
commented
2 years ago @tarcieri I can confirm that with the vendored feature, it does not crash for me (archlinux). Thanks for the info!
I can also reproduce this error (on Arch Linux) and confirm that the fix with vendored-libgit2 works to resolve it.
jackos
commented
2 years ago Same here, arch linux and cargo install cargo-audit --features vendored-libgit2 fixed the issue for me thanks
alilleybrinker
commented
2 years ago Looks like this is the more detailed underlying issue: https://github.com/rust-lang/git2-rs/issues/813
Basically an incompatibility between git2-rs and libgit2 versions. When you get the wrong mix of versions a particular struct gets wrongly initialized and a segfault arises.
tarcieri
commented
2 years ago I'll hopefully be able to cut a new release soon.
jackos
commented
2 years ago @tarcieri can confirm building from master without any feature flags fixed the issue for me thanks
SkoogJacob
commented
2 years ago Try:
$ cargo install cargo-audit --features vendored-libgit2If that fixes the issue, perhaps we should just enable it by default.
I was running into the same issue on Arch Linux and this fixed it for me as well
LeoniePhiline
commented
2 years ago Also for me, cargo audit still segfaults with Alpine Linux during docker build even when running with
cargo install cargo-audit --features vendored-libgit2I do install libgit2.
I can reproduce it by building this Dockerfile:
Dockerfile:
FROM rust:1.62-alpine3.16
RUN set -eux \
&& apk --update upgrade \
&& apk add g++ libgit2 openssl-dev pkgconfig \
&& rustup self update \
&& rustup target add x86_64-unknown-linux-musl \
&& rustup component add clippy \
&& rustup update --no-self-update \
&& cargo install --force cargo-audit --features vendored-libgit2 \
&& cargo auditDocker build with segfault:
DOCKER_BUILDKIT=0 docker build -f Dockerfile .Build output with segfault:
DOCKER_BUILDKIT=0 docker build -f Dockerfile .
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM rust:1.62-alpine3.16
1.62-alpine3.16: Pulling from library/rust
Digest: sha256:26d3406ed01076d53cf13b95397f2695fbb965e42aa685bca8045dcf11055904
Status: Downloaded newer image for rust:1.62-alpine3.16
---> 3a83e7ec7491
Step 2/2 : RUN set -eux && apk --update upgrade && apk add g++ libgit2 openssl-dev pkgconfig && rustup self update && rustup target add x86_64-unknown-linux-musl && rustup component add clippy && rustup update --no-self-update && cargo install --force cargo-audit --features vendored-libgit2 && cargo audit
---> Running in 028a8a64b136
+ apk --update upgrade
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
(1/4) Upgrading busybox (1.35.0-r15 -> 1.35.0-r17)
Executing busybox-1.35.0-r17.post-upgrade
(2/4) Upgrading ca-certificates-bundle (20211220-r0 -> 20220614-r0)
(3/4) Upgrading ssl_client (1.35.0-r15 -> 1.35.0-r17)
(4/4) Upgrading ca-certificates (20211220-r0 -> 20220614-r0)
Executing busybox-1.35.0-r17.trigger
Executing ca-certificates-20220614-r0.trigger
OK: 109 MiB in 25 packages
+ apk add g++ libgit2 openssl-dev pkgconfig
(1/9) Installing musl-dev (1.2.3-r0)
(2/9) Installing libc-dev (0.7.2-r3)
(3/9) Installing g++ (11.2.1_git20220219-r2)
(4/9) Installing http-parser (2.9.4-r0)
(5/9) Installing pcre (8.45-r2)
(6/9) Installing libssh2 (1.10.0-r2)
(7/9) Installing libgit2 (1.4.3-r0)
(8/9) Installing pkgconf (1.8.0-r0)
(9/9) Installing openssl-dev (1.1.1q-r0)
Executing busybox-1.35.0-r17.trigger
OK: 183 MiB in 34 packages
+ rustup self update
info: checking for self-updates
info: downloading self-update
rustup updated - 1.25.1 (from 1.24.3)
+ rustup target add x86_64-unknown-linux-musl
info: component 'rust-std' for target 'x86_64-unknown-linux-musl' is up to date
+ rustup component add clippy
info: downloading component 'clippy'
info: installing component 'clippy'
+ rustup update --no-self-update
info: no updatable toolchains installed
info: cleaning up downloads & tmp directories
+ cargo install --force cargo-audit --features vendored-libgit2
Updating crates.io index
Downloading crates ...
Downloaded cargo-audit v0.17.0
Installing cargo-audit v0.17.0
Downloading crates ...
Downloaded abscissa_derive v0.6.0
Downloaded ident_case v1.0.1
Downloaded indenter v0.3.3
Downloaded platforms v3.0.1
Downloaded rayon-core v1.9.3
Downloaded secrecy v0.8.0
Downloaded rustsec v0.26.0
Downloaded smartstring v1.0.1
Downloaded crates-index v0.18.8
Downloaded cvss v2.0.0
Downloaded form_urlencoded v1.0.1
Downloaded wait-timeout v0.2.0
Downloaded url v2.2.2
Downloaded jobserver v0.1.24
Downloaded tinyvec_macros v0.1.0
Downloaded unicode-normalization v0.1.21
Downloaded petgraph v0.6.2
Downloaded canonical-path v2.0.2
Downloaded ansi_term v0.12.1
Downloaded fs-err v2.7.0
Downloaded either v1.7.0
Downloaded lazy_static v1.4.0
Downloaded once_cell v1.13.0
Downloaded memchr v2.5.0
Downloaded humantime v2.1.0
Downloaded proc-macro-error v1.0.4
Downloaded openssl-probe v0.1.5
Downloaded home v0.5.3
Downloaded cc v1.0.73
Downloaded quote v1.0.21
Downloaded ryu v1.0.11
Downloaded object v0.29.0
Downloaded serde_json v1.0.83
Downloaded rustc-demangle v0.1.21
Downloaded backtrace v0.3.66
Downloaded regex-automata v0.1.10
Downloaded static_assertions v1.1.0
Downloaded num_cpus v1.13.1
Downloaded crossbeam-utils v0.8.11
Downloaded unicode-ident v1.0.3
Downloaded thread_local v1.1.4
Downloaded bitflags v1.3.2
Downloaded hex v0.4.3
Downloaded libssh2-sys v0.2.23
Downloaded proc-macro2 v1.0.43
Downloaded miniz_oxide v0.5.3
Downloaded heck v0.4.0
Downloaded strsim v0.10.0
Downloaded cfg-if v1.0.0
Downloaded indexmap v1.9.1
Downloaded matchers v0.1.0
Downloaded memoffset v0.6.5
Downloaded textwrap v0.15.0
Downloaded thiserror v1.0.32
Downloaded termcolor v1.1.3
Downloaded smallvec v1.9.0
Downloaded serde v1.0.142
Downloaded serde_derive v1.0.142
Downloaded synstructure v0.12.6
Downloaded sharded-slab v0.1.4
Downloaded regex v1.6.0
Downloaded tinyvec v1.6.0
Downloaded semver v1.0.13
Downloaded syn v1.0.99
Downloaded pin-project-lite v0.2.9
Downloaded tracing-subscriber v0.3.15
Downloaded unicode-bidi v0.3.8
Downloaded idna v0.2.3
Downloaded libc v0.2.127
Downloaded version_check v0.9.4
Downloaded gimli v0.26.2
Downloaded tracing v0.1.36
Downloaded color-eyre v0.6.2
Downloaded itoa v1.0.3
Downloaded zeroize v1.5.7
Downloaded proc-macro-error-attr v1.0.4
Downloaded thiserror-impl v1.0.32
Downloaded openssl-sys v0.9.75
Downloaded atty v0.2.14
Downloaded libz-sys v1.1.8
Downloaded unicode-xid v0.2.3
Downloaded tracing-attributes v0.1.22
Downloaded libgit2-sys v0.13.4+1.4.2
Downloaded regex-syntax v0.6.27
Downloaded tracing-log v0.1.3
Downloaded tracing-core v0.1.29
Downloaded toml v0.5.9
Downloaded owo-colors v3.4.0
Downloaded percent-encoding v2.1.0
Downloaded scopeguard v1.1.0
Downloaded clap v3.2.16
Downloaded pkg-config v0.3.25
Downloaded clap_derive v3.2.15
Downloaded os_str_bytes v6.2.0
Downloaded matches v0.1.9
Downloaded log v0.4.17
Downloaded hashbrown v0.12.3
Downloaded crossbeam-channel v0.5.6
Downloaded autocfg v1.1.0
Downloaded aho-corasick v0.7.18
Downloaded git2 v0.14.4
Downloaded addr2line v0.17.0
Downloaded clap_lex v0.2.4
Downloaded adler v1.0.2
Downloaded humantime-serde v1.1.1
Downloaded eyre v0.6.8
Downloaded fixedbitset v0.4.2
Downloaded crossbeam-epoch v0.9.10
Downloaded crossbeam-deque v0.8.2
Downloaded cargo-lock v8.0.2
Downloaded arc-swap v1.5.1
Downloaded abscissa_core v0.6.0
Downloaded rustc-hash v1.1.0
Downloaded rayon v1.5.3
Compiling libc v0.2.127
Compiling proc-macro2 v1.0.43
Compiling autocfg v1.1.0
Compiling quote v1.0.21
Compiling unicode-ident v1.0.3
Compiling syn v1.0.99
Compiling serde_derive v1.0.142
Compiling once_cell v1.13.0
Compiling serde v1.0.142
Compiling cfg-if v1.0.0
Compiling pkg-config v0.3.25
Compiling version_check v0.9.4
Compiling memchr v2.5.0
Compiling crossbeam-utils v0.8.11
Compiling tinyvec_macros v0.1.0
Compiling log v0.4.17
Compiling matches v0.1.9
Compiling unicode-bidi v0.3.8
Compiling scopeguard v1.1.0
Compiling semver v1.0.13
Compiling hashbrown v0.12.3
Compiling rayon-core v1.9.3
Compiling percent-encoding v2.1.0
Compiling regex-syntax v0.6.27
Compiling bitflags v1.3.2
Compiling serde_json v1.0.83
Compiling adler v1.0.2
Compiling gimli v0.26.2
Compiling eyre v0.6.8
Compiling lazy_static v1.4.0
Compiling ryu v1.0.11
Compiling platforms v3.0.1
Compiling either v1.7.0
Compiling itoa v1.0.3
Compiling rustc-demangle v0.1.21
Compiling pin-project-lite v0.2.9
Compiling os_str_bytes v6.2.0
Compiling static_assertions v1.1.0
Compiling fixedbitset v0.4.2
Compiling openssl-probe v0.1.5
Compiling indenter v0.3.3
Compiling heck v0.4.0
Compiling unicode-xid v0.2.3
Compiling rustc-hash v1.1.0
Compiling smallvec v1.9.0
Compiling humantime v2.1.0
Compiling ansi_term v0.12.1
Compiling termcolor v1.1.3
Compiling ident_case v1.0.1
Compiling fs-err v2.7.0
Compiling home v0.5.3
Compiling zeroize v1.5.7
Compiling owo-colors v3.4.0
Compiling strsim v0.10.0
Compiling textwrap v0.15.0
Compiling canonical-path v2.0.2
Compiling arc-swap v1.5.1
Compiling tracing-core v0.1.29
Compiling thread_local v1.1.4
Compiling tinyvec v1.6.0
Compiling proc-macro-error-attr v1.0.4
Compiling proc-macro-error v1.0.4
Compiling memoffset v0.6.5
Compiling indexmap v1.9.1
Compiling crossbeam-epoch v0.9.10
Compiling rayon v1.5.3
Compiling smartstring v1.0.1
Compiling form_urlencoded v1.0.1
Compiling miniz_oxide v0.5.3
Compiling sharded-slab v0.1.4
Compiling clap_lex v0.2.4
Compiling regex-automata v0.1.10
Compiling unicode-normalization v0.1.21
Compiling addr2line v0.17.0
Compiling crossbeam-channel v0.5.6
Compiling aho-corasick v0.7.18
Compiling object v0.29.0
Compiling matchers v0.1.0
Compiling jobserver v0.1.24
Compiling tracing-log v0.1.3
Compiling num_cpus v1.13.1
Compiling atty v0.2.14
Compiling wait-timeout v0.2.0
Compiling idna v0.2.3
Compiling regex v1.6.0
Compiling cc v1.0.73
Compiling petgraph v0.6.2
Compiling crossbeam-deque v0.8.2
Compiling libz-sys v1.1.8
Compiling openssl-sys v0.9.75
Compiling libssh2-sys v0.2.23
Compiling libgit2-sys v0.13.4+1.4.2
Compiling backtrace v0.3.66
Compiling color-eyre v0.6.2
Compiling synstructure v0.12.6
Compiling tracing-attributes v0.1.22
Compiling thiserror-impl v1.0.32
Compiling clap_derive v3.2.15
Compiling abscissa_derive v0.6.0
Compiling thiserror v1.0.32
Compiling tracing v0.1.36
Compiling tracing-subscriber v0.3.15
Compiling clap v3.2.16
Compiling url v2.2.2
Compiling toml v0.5.9
Compiling hex v0.4.3
Compiling cvss v2.0.0
Compiling secrecy v0.8.0
Compiling humantime-serde v1.1.1
Compiling cargo-lock v8.0.2
Compiling abscissa_core v0.6.0
Compiling git2 v0.14.4
Compiling crates-index v0.18.8
Compiling rustsec v0.26.0
Compiling cargo-audit v0.17.0
Finished release [optimized] target(s) in 2m 14s
Installing /usr/local/cargo/bin/cargo-audit
Installed package `cargo-audit v0.17.0` (executable `cargo-audit`)
+ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
The command '/bin/sh -c set -eux && apk --update upgrade && apk add g++ libgit2 openssl-dev pkgconfig && rustup self update && rustup target add x86_64-unknown-linux-musl && rustup component add clippy && rustup update --no-self-update && cargo install --force cargo-audit --features vendored-libgit2 && cargo audit' returned a non-zero code: 139
I has an error with the
cargo-auditversion rustc: 1.56.1 version cargo: 1.56.0
For a docker image
rust:alpine, I installauditand then:I apply these commands in the docker image before install
audit:For running the docker image, I run:
Some idea?
UPDATE It happens in the alpine image... for debian based image didn't throw the error.