search

zhengzkkai / opkg

Automatically exported from code.google.com/p/opkg
0 stars 0 forks source link

Use-after-free on 'opkg install a/foo.ipk b/foo.ipk' #157

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Version: opkg 0.1.8 (openwrt)

I accidentally had a package by the same name in two different directories, and 
when openwrt was preparing the rootfs (opkg --offline-root --add-dest root:/ 
...), it started giving very strange errors:

Unknown package '@'.
Installing hd-idle (1.04-1) to root...
Configuring hd-idle.
Collected errors:
 * opkg_install_cmd: Cannot install package @.

Turns out it's a user-after-free when 'opkg install' two packages of the same 
name:

$ ls -l $(cat pkgs.txt)
-rw-r--r-- 1 catalinp catalinp 5,183 Jan  9 01:46 
/home/catalinp/src/openwrt/bin/ar71xx/packages/oldpackages/hd-idle_1.04-1_ar71xx
.ipk
-rw-r--r-- 1 catalinp catalinp 5,255 Jan  9 03:05 
/home/catalinp/src/openwrt/bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ip
k

$ IPKG_NO_SCRIPT=1 IPKG_TMP=/home/cat [...] valgrind 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg --offline-root [...] 
install bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ipk 
bin/ar71xx/packages/packages/hd-idle_1.04-1_ar71xx.ipk

==2277== Invalid read of size 1
==2277==    at 0x40F063: hash_table_get (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40F546: pkg_vec_fetch_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40FF38: pkg_hash_fetch_installed_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4074C5: opkg_install_by_name (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x40511B: opkg_install_cmd (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x402E27: main (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==  Address 0x52bba60 is 0 bytes inside a block of size 8 free'd
==2277==    at 0x4C2BDEC: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2277==    by 0x40AC53: pkg_deinit (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4115C3: pkg_vec_insert_merge (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4100A8: hash_insert_pkg (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4059B9: opkg_prepare_url_for_install (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x4050DF: opkg_install_cmd (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)
==2277==    by 0x402E27: main (in 
/home/catalinp/src/openwrt/staging_dir/host/bin/opkg)

Not sure whether this is still an issue in trunk. I am surprised openwrt uses 
such an old opkg version.

To test on a newer opkg I could try:
1) Update openwrt build system to use a newer opkg.. might be tricky, seems 
it's very far behind.
2) Build new opkg outside of openwrt, then try the command again.. would opkg 
trunk be backwards compatible with ipkg built by opkg 0.1.8?

opkg should print an error message, or try to install the pkg twice, but not 
crash or corrupt memory.

Original issue reported on code.google.com by cronos...@gmail.com on 13 Jan 2015 at 6:50

GoogleCodeExporter commented 9 years ago 
Please confirm whether this issue still occurs with opkg v0.2.4 or v0.3.0-rc2. 
The package feeds should be compatible so you should be able to compile opkg 
outside openwrt and use that.

I'm currently stepping back from opkg maintenance so I don't have time to look 
further into this myself but if you can confirm this is an issue on the latest 
release or rc I'll see what can be done.

Original comment by paul.betafive on 9 Mar 2015 at 9:21