Opened 2 years ago
Closed 2 years ago
#17773 closed bug (fixed)
Installing certain HPKG files can crash the system
| Reported by: | trungnt2910 | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | R1/beta4 |
| Component: | Kits/Package Kit | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Installing a HPKG file made by a third-party builder, that perfectly conforms to the specs defined here: https://github.com/haiku/haiku/blob/master/docs/develop/packages/FileFormat.rst, may still crash the kernel, when B_HPKG_ATTRIBUTE_ID_FILE_ATTRIBUTE is listed as a child attribute of a symlink B_HPKG_ATTRIBUTE_ID_DIRECTORY_ENTRY before B_HPKG_ATTRIBUTE_ID_SYMLINK_PATH is listed.
This happens because the code at: https://xref.landonf.org/source/xref/haiku/src/kits/package/hpkg/PackageReaderImpl.cpp#193
calls the handler when B_HPKG_ATTRIBUTE_ID_FILE_ATTRIBUTE is encountered. However, at that time, B_HPKG_ATTRIBUTE_ID_SYMLINK_PATH has not been parsed, and the symlink path for the DirectoryEntry is still NULL.
To reproduce, either use the package attached, or if you don't trust the attached package, you can use the sample app at https://github.com/trungnt2910/HpkgReader/tree/6421dfcb7796e1ee6d186f52b9cab0b03f8d3e6a (only this specific commit produces packages that break Haiku) on any Windows or Linux machine, import the sample Tipster package provided here: https://github.com/haiku/haikudepotserver/blob/master/haikudepotserver-packagefile/src/test/resources/tipster-1.1.1-1-x86_64.hpkg to the sample application, and then export a new hpkg file.
Attachments (1)
Change History (4)
by , 2 years ago
| Attachment: | test[1].hpkg added |
|---|
comment:1 by , 2 years ago
KDL backtrace for reference:
PANIC: vm_page_fault: unhandled page fault in kernel space at 0x0, ip 0xffffffff8016899c
Welcome to Kernel Debugging Land...
Thread 1718 "job runner" running on CPU 1
stack trace for thread 1718 "job runner"
kernel stack: 0xffffffff927f4000 to 0xffffffff927f9000
user stack: 0x00007fc34bd6a000 to 0x00007fc34bdaa000
frame caller <image>:function + offset
0 ffffffff927f8068 (+ 24) ffffffff80144ecc <kernel_x86_64> arch_debug_call_with_fault_handler + 0x16
1 ffffffff927f8080 (+ 80) ffffffff800aea08 <kernel_x86_64> debug_call_with_fault_handler + 0x78
2 ffffffff927f80d0 (+ 96) ffffffff800b0023 <kernel_x86_64> kernel_debugger_loop(char const*, char const*, __va_list_tag*, int) + 0xf3
3 ffffffff927f8130 (+ 80) ffffffff800b03be <kernel_x86_64> kernel_debugger_internal(char const*, char const*, __va_list_tag*, int) + 0x6e
4 ffffffff927f8180 (+ 240) ffffffff800b0717 <kernel_x86_64> panic + 0xb7
5 ffffffff927f8270 (+ 256) ffffffff8012e448 <kernel_x86_64> vm_page_fault + 0x258
6 ffffffff927f8370 (+ 64) ffffffff80150668 <kernel_x86_64> x86_page_fault_exception + 0x168
7 ffffffff927f83b0 (+ 904) ffffffff801466bc <kernel_x86_64> int_bottom + 0x80
kernel iframe at 0xffffffff927f8738 (end = 0xffffffff927f8800)
rax 0xa000 rbx 0xffffffff927f8b10 rcx 0xffffffff81c1bb60
rdx 0x0 rsi 0xffffffff927f87c0 rdi 0x0
rbp 0xffffffff927f8870 r8 0xa16d r9 0xffffffff81c18450
r10 0x18c r11 0xffffffff9f274e80 r12 0xffffffff9f2a5678
r13 0x0 r14 0xffffffff9f274e80 r15 0xffffffff927f8820
rip 0xffffffff8016899c rsp 0xffffffff927f8808 rflags 0x10246
vector: 0xe, error code: 0x0
8 ffffffff927f8738 (+ 312) ffffffff8016899c <kernel_x86_64> strlen + 0x2c
9 ffffffff927f8870 (+ 96) ffffffff81bd8f7f <packagefs> BPackageKit::BHPKG::BPrivate::PackageReaderImpl::EntryAttributeHandler::HandleAttribute(BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandlerContext*, unsigned char, BPackageKit::BHPKG::BPackageAttributeValue const&, BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandler**) + 0x22f
10 ffffffff927f88d0 (+ 160) ffffffff81bdaeeb <packagefs> BPackageKit::BHPKG::BPrivate::ReaderImplBase::_ParseAttributeTree[clone .localalias] (BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandlerContext*) + 0xcb
11 ffffffff927f8970 (+ 64) ffffffff81bdb03b <packagefs> BPackageKit::BHPKG::BPrivate::ReaderImplBase::ParseAttributeTree[clone .localalias] (BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandlerContext*, bool&) + 0x4b
12 ffffffff927f89b0 (+ 64) ffffffff81bd83c2 <packagefs> BPackageKit::BHPKG::BPrivate::PackageReaderImpl::_ParseTOC[clone .localalias] (BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandlerContext*, BPackageKit::BHPKG::BPrivate::ReaderImplBase::AttributeHandler*) + 0x92
13 ffffffff927f89f0 (+ 224) ffffffff81bd85c8 <packagefs> BPackageKit::BHPKG::BPrivate::PackageReaderImpl::ParseContent(BPackageKit::BHPKG::BPackageContentHandler*) + 0x178
14 ffffffff927f8ad0 (+ 416) ffffffff81bc1d82 <packagefs> Package::_Load[clone .localalias] (PackageSettings const&) + 0x162
15 ffffffff927f8c70 (+ 32) ffffffff81bc1ee2 <packagefs> Package::Load(PackageSettings const&) + 0x12
16 ffffffff927f8c90 (+ 192) ffffffff81bd0dbb <packagefs> Volume::_LoadPackage[clone .localalias] (PackagesDirectory*, char const*, Package*&) + 0xcb
17 ffffffff927f8d50 (+ 176) ffffffff81bd35ec <packagefs> Volume::_ChangeActivation[clone .localalias] (Volume::ActivationChangeRequest&) + 0x36c
18 ffffffff927f8e00 (+ 192) ffffffff81bd46e5 <packagefs> Volume::IOCtl(Node*, unsigned int, void*, unsigned long) + 0x395
19 ffffffff927f8ec0 (+ 64) ffffffff800e89da <kernel_x86_64> fd_ioctl(bool, int, unsigned int, void*, unsigned long) + 0x5a
20 ffffffff927f8f00 (+ 32) ffffffff800e969a <kernel_x86_64> _user_ioctl + 0x3a
21 ffffffff927f8f20 (+ 16) ffffffff801469bf <kernel_x86_64> x86_64_syscall_entry + 0xfb
user iframe at 0xffffffff927f8f30 (end = 0xffffffff927f8ff8)
rax 0x93 rbx 0x103c293002c0 rcx 0x1522cdb947c
rdx 0x103c29300290 rsi 0x2712 rdi 0x9
rbp 0x7fc34bda9560 r8 0x103c291a5ac8 r9 0x0
r10 0x4c r11 0x206 r12 0x9
r13 0x7fc34bda9a00 r14 0x4c r15 0x7fc34bda9980
rip 0x1522cdb947c rsp 0x7fc34bda9548 rflags 0x206
vector: 0x63, error code: 0x0
22 ffffffff927f8f30 (+140478605100592) 000001522cdb947c <libroot.so> _kern_ioctl + 0x0c
23 00007fc34bda9560 (+ 240) 000000d75bcbde59 <_APP_> CommitTransactionHandler::_ChangePackageActivationIOCtl(std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&, std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&) + 0x1e9
24 00007fc34bda9650 (+ 304) 000000d75bcc4d1d <_APP_> CommitTransactionHandler::_ChangePackageActivation(std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&, std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&) + 0xdd
25 00007fc34bda9780 (+ 32) 000000d75bcc55a7 <_APP_> CommitTransactionHandler::_ApplyChanges() + 0x47
26 00007fc34bda97a0 (+ 240) 000000d75bcc5767 <_APP_> CommitTransactionHandler::HandleRequest(BPackageKit::BPrivate::BActivationTransaction const&) + 0x77
27 00007fc34bda9890 (+ 208) 000000d75bcc5919 <_APP_> CommitTransactionHandler::HandleRequest(BMessage*) + 0x59
28 00007fc34bda9960 (+ 768) 000000d75bcd484e <_APP_> Volume::_CommitTransaction(BMessage*, BPackageKit::BPrivate::BActivationTransaction const*, std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&, std::set<Package*, std::less<Package*>, std::allocator<Package*> > const&, BPackageKit::BCommitTransactionResult&) + 0x8e
29 00007fc34bda9c60 (+ 320) 000000d75bcd4938 <_APP_> Volume::HandleCommitTransactionRequest(BMessage*) + 0x78
30 00007fc34bda9da0 (+ 32) 000000d75bccf0e9 <_APP_> Root::_JobRunner() + 0x19
31 00007fc34bda9dc0 (+ 32) 000001522cdb8709 <libroot.so> _thread_do_exit_work (nearest) + 0x89
32 00007fc34bda9de0 (+ 0) 00007ffdafc90258 <commpage> commpage_thread_exit + 0x00
kdebug>
comment:2 by , 2 years ago
Probably we should fix the crash simply by adding a NULL check to String::SetTo.
comment:3 by , 2 years ago
| Milestone: | Unscheduled → R1/beta4 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in hrev56359.
Note:
See TracTickets
for help on using tickets.
A HPKG file that crashes the kernel during installation.