python-apt crashes if objects of one cache are passed to depcache belonging to another cache

Bug #1737441 reported by errors.ubuntu.com bug bridge on 2017-12-10
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-apt (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
unattended-upgrades (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]
Some applications, like unattended-upgrades or update-manager, reopen the apt cache. They also keep around old apt.Package objects however, and operate on them after reopening. Under the hood, this means that apt_pkg.Package objects belonging to an old cache are passed to a new cache.

APT relies on the ID of the package (it's position in the cache) for it's operation. So if a package has ID 0 in the old cache, and a different package has ID 0 in the new cache, performing operations on the old package would perform it on the new package. If the old package's ID is out of bounds in the new cache, the behavior is undefined - it's an out of bounds array access.

[Test case]
The attached test case has a list of packages 0-9, a-z; stores the package "z" into a variable, then reopens the cache. It then marks z for deletion. This either segfaults or does nothing; when it should mark z for deletion.

More test cases like this are in the autopkgtest.

[Regression potential]
The initial fix introduced bug 1780099, there might be similar bugs lurking. However, these bugs would have been undefined behavior before and might have caused segmentation faults or did the wrong thing. It seems likely that any regression cannot possibly be worse than the current state.

[Other info]
The xenial SRU also includes the change "python/tag.cc: Fix invalid read in TagFileNext". We don't have any specific verification for it, as we just saw weird crashes on the error tracker, and this seemed like the culprit. We released bionic with it, and it seems fine. The fix is fairly obvious: We were copying the char array "Start" which was not nul terminated in an odd way, without using the lenght.

[Original bug report]
The Ubuntu Error Tracker has been receiving reports about a problem regarding unattended-upgrades. This problem was most recently seen with package version 0.98ubuntu1, the problem page at https://errors.ubuntu.com/problem/727153285ba3335a07f801a298a3d94cbe6ba05d contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports.
If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/.

Balint Reczey (rbalint) on 2017-12-10
Changed in unattended-upgrades (Ubuntu):
status: New → Invalid
Julian Andres Klode (juliank) wrote :

I'm not sure what's going on here. Maybe it's deleting the cachefile twice somehow. It's just straight-forward destructors. Very odd.

Changed in python-apt (Ubuntu):
status: New → Triaged
status: Triaged → Confirmed
Balint Reczey (rbalint) wrote :

There are a few other crashes in apt reported for u-u at errors.ubuntu.com, they may be hold more useful information.

tags: added: id-5a8ef5f4d8bb16ec254dc10f
Balint Reczey (rbalint) on 2018-03-29
Changed in python-apt (Ubuntu Bionic):
status: Confirmed → In Progress
Julian Andres Klode (juliank) wrote :

This is a problem in unattended-upgrades reusing apt.Version objects after reopening the cache.

python-apt does not verify that objects like versions passed to apt_pkg.DepCache belong to the same cache. Hence we get out of bounds writes and memory corruption if these reference cache objects with IDs outside of the cache range (like dependency 1024 in a cache with 100 dependencies), or, maybe even worse, we mark the wrong things (like set the candidate for an entirely different package). Hence this was not detected. I added checks to python-apt now to detect this situation where possible, and will release that shortly.

Changed in unattended-upgrades (Ubuntu Bionic):
status: Invalid → Triaged
Changed in unattended-upgrades (Ubuntu Bionic):
status: Triaged → In Progress
Changed in python-apt (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.6.0~rc2ubuntu2

---------------
python-apt (1.6.0~rc2ubuntu2) bionic; urgency=medium

  * apt/auth.py: Protect against race with gpg when removing tmpdir
    (Closes: #871585)
  * Document Architecture: all handling in Package.{fullname,architecture()}
    (Closes: #863193)
  * python/tag.cc: Fix invalid read in TagFileNext
  * Raise ValueError if objects passed to DepCache are from different cache
    (LP: #1737441)

 -- Julian Andres Klode <email address hidden> Thu, 12 Apr 2018 11:22:27 +0200

Changed in python-apt (Ubuntu Bionic):
status: Fix Committed → Fix Released
Balint Reczey (rbalint) on 2018-04-19
Changed in unattended-upgrades (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1

---------------
unattended-upgrades (1.1ubuntu1) bionic; urgency=medium

  * Merge from Debian unstable (LP: #1764797)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Rename d/NEWS.Debian to d/NEWS to have it shipped
      - Fix typo in NEWS file
      - d/rules: Exclude mypy cache from source package.

unattended-upgrades (1.1) unstable; urgency=medium

  [ cgail914 ]
  * Update 50unattended-upgrades.Raspbian
    added a semi-column sign on line 86 to facilitate uncommenting the line
    for users and not end up with an error message when running
    unattended-upgrades. And make the whole file consistent.

  [ Tobias Bannert ]
  * completed german translation

  [ Simon McVittie ]
  * d/rules: Exclude mypy cache from source package.

  [ Julian Andres Klode ]
  * Do not reuse old apt.Version objects after reopening cache (LP: #1737441)

  [ Balint Reczey ]
  * Rename d/NEWS.Debian to d/NEWS to have it shipped
  * Fix typo in NEWS file
  * Add missing semicolon to commented-out Remove-Unused-Kernel-Packages option
  * Set UnattendedUpgradesCache.allowed_origins before calling
    apt.Cache.__init__()
  * Find package candidates to adjust sweeping through all packages only once.
    Later reuse the list candidates and filter out packages installed in the
    meantime. Thanks to Julian Andres Klode for the original patch
  * Use updated python-apt in upgrade-between-snapshots test
  * upgrade-between-snapshots: Mount /proc, too, in the chroot.
    Also clean up chroot properly on exit.
  * upgrade-between-snapshots: Use http_proxy environment variable in chroot,
    too
  * upgrade-between-snapshots: Remove packages installed as the side-effect of
    updating apt and python-apt
  * Ignore errors from compiling backported packages
  * Make is_autoremove_valid() nondestructive.
    Also fix autoremoval of packages when one package can't be removed and
    keeps back other package removals due to missing cache.clear()
  * Fix tracking removed packages
  * Suggest default-mta | mail-transport-agent to keep Lintian happy

  [ Michael Vogt ]
  * unattanded-upgrades: refactor get_candidates_to_adjust() to
    adjust_candidates()

 -- Balint Reczey <email address hidden> Tue, 17 Apr 2018 16:53:30 +0200

Changed in unattended-upgrades (Ubuntu Bionic):
status: Fix Committed → Fix Released
description: updated
description: updated
Changed in python-apt (Ubuntu Xenial):
status: New → Triaged
Changed in unattended-upgrades (Ubuntu Trusty):
status: New → Won't Fix
Changed in unattended-upgrades (Ubuntu Xenial):
status: New → Won't Fix
Julian Andres Klode (juliank) wrote :

Test case for xenial / trusty

Changed in python-apt (Ubuntu Xenial):
status: Triaged → In Progress
summary: - /usr/bin/unattended-
- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
+ python-apt crashes if objects of one cache are passed to depcache
+ belonging to another cache
description: updated

Hello errors.ubuntu.com, or anyone else affected,

Accepted python-apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in python-apt (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Robie Basak (racb) wrote :

Hello errors.ubuntu.com, or anyone else affected,

Accepted python-apt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-apt/0.9.3.5ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Julian Andres Klode (juliank) wrote :

The updates work fine, as can be seen by the autopkgtest, and a manual run also confirms it:

= xenial =

$ run test
Changed []
<..crash..>
$ add proposed and upgrade
Unpacking python3-apt (1.1.0~beta1ubuntu0.16.04.2) over (1.1.0~beta1ubuntu0.16.04.1)
$ run test
Changed [<Package: name:'z' architecture='amd64' id:1>]

= trusty =

$ run test
Changed []
<..crash..>
$ add proposed and upgrade
Unpacking python3-apt (0.9.3.5ubuntu3) over (0.9.3.5ubuntu2) ...
$ run test
Changed [<Package: name:'z' architecture='amd64' id:1>]

tags: added: verification-done verification-done-trusty verification-done-xenial
removed: verification-needed verification-needed-trusty verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.1.0~beta1ubuntu0.16.04.2

---------------
python-apt (1.1.0~beta1ubuntu0.16.04.2) xenial; urgency=medium

  * python/tag.cc: Fix invalid read in TagFileNext
  * DepCache: Check that candidate we are setting belongs to package
  * Raise CacheMismatchError if objects passed to DepCache are from different cache
    (LP: #1737441); also includes the following regression fixes from bionic:
    - apt.Cache: Remap objects when reopening cache (LP: 1773316 in bionic+), incl. regression fixes:
      + Add more extensive test cases for cache remapping
      + Regression fix: Do not override __hash__ in apt.package.Package (LP: 1780099 in bionic+)
  * CI / pre-build / data changes:
    - Replace broken travis CI integration with current docker-based one
    - utils/get_debian_mirrors.py: Get data from salsa (for pre-build hook)
    - debian/control: Point to salsa instead of anonscm
    - debian/gbp.conf: Point to 1.1.y-xenial branch
    - Updated mirror list

 -- Julian Andres Klode <email address hidden> Tue, 10 Jul 2018 12:47:50 +0200

Changed in python-apt (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for python-apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 0.9.3.5ubuntu3

---------------
python-apt (0.9.3.5ubuntu3) trusty-proposed; urgency=medium

  * DepCache: Check that candidate we are setting belongs to package
  * Raise CacheMismatchError if objects passed to DepCache are from different cache
    (LP: #1737441); also includes the following regression fixes from bionic:
    - apt.Cache: Remap objects when reopening cache (LP: 1773316 in bionic+), incl. regression fixes:
      + Add more extensive test cases for cache remapping
      + Regression fix: Do not override __hash__ in apt.package.Package (LP: 1780099 in bionic+)
  * CI / pre-build / data changes:
    - Replace broken travis CI integration with current docker-based one
    - utils/get_debian_mirrors.py: Get data from salsa (for pre-build hook)
    - debian/control: Point to salsa instead of anonscm
    - debian/gbp.conf: Point to ubuntu/trusty branch
    - Updated mirror list

 -- Julian Andres Klode <email address hidden> Tue, 10 Jul 2018 16:59:07 +0200

Changed in python-apt (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (33.9 KiB)

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.2

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.2) xenial; urgency=medium

  * Don't check blacklist too early and report updates from not allowed origins
    as kept back. (LP: #1781176)
  * test/test_blacklisted_wrong_origin.py: Fix and enable test
  * Filter out progress indicator from dpkg log (LP: #1599646)
  * Clear cache when autoremoval fails (LP: #1779157)
  * Find autoremovable kernel packages using the patterns in APT's way
    (LP: #1815494)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.1) xenial; urgency=medium

  * Start service after systemd-logind.service to be able to take inhibition
    lock (LP: #1806487)
  * Handle gracefully when logind is down (LP: #1806487)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.0) xenial; urgency=medium

  * Backport to Xenial (LP: #1702793)
  * Revert to build-depending on debhelper (>= 9~) and dh-systemd
  * Revert configuration example changes to avoid triggering a debconf question
  * debian/postinst: Update recovery to be triggered on Xenial's package versions

unattended-upgrades (1.1ubuntu1.18.04.7) bionic; urgency=medium

  * Trigger unattended-upgrade-shutdown actions with PrepareForShutdown()
    Performing upgrades in service's ExecStop did not work when the upgrades
    involved restarting services because systemd blocked other stop/start
    actions making maintainer scripts time out and be killed leaving a broken
    system behind.
    Running unattended-upgrades.service before shutdown.target as a oneshot
    service made it run after unmounting filesystems and scheduling services
    properly on shutdown is a complex problem and adding more services to the
    mix make it even more fragile.
    The solution of monitoring PrepareForShutdown() signal from DBus
    allows Unattended Upgrade to run _before_ the jobs related to shutdown are
    queued thus package upgrades can safely restart services without
    risking causing deadlocks or breaking part of the shutdown actions.
    Also ask running unattended-upgrades to stop when shutdown starts even in
    InstallOnShutdown mode and refactor most of unattended-upgrade-shutdown to
    UnattendedUpgradesShutdown class. (LP: #1778219)
  * Increase logind's InhibitDelayMaxSec to 30s. (LP: #1778219)
    This allows more time for unattended-upgrades to shut down gracefully
    or even install a few packages in InstallOnShutdown mode, but is still a
    big step back from the 30 minutes allowed for InstallOnShutdown previously.
    Users enabling InstallOnShutdown node are advised to increase
    InhibitDelayMaxSec even further possibly to 30 minutes.
    - Add NEWS entry about increasing InhibitDelayMaxSec and InstallOnShutdown
      changes
  * Ignore "W503 line break before binary operator"
    because it will become the best practice and breaks the build
  * Stop using ActionGroups, they interfere with apt.Cache.clear()
    causing all autoremovable packages to be handled as newly autoremovable
    ones and be removed by default. Dropping ActionGroup usage does not slow
    down the most frequent case of not having anything to upgrade a...

Changed in unattended-upgrades (Ubuntu Xenial):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments