python-apt crashes if objects of one cache are passed to depcache belonging to another cache

Bug #1737441 reported by errors.ubuntu.com bug bridge on 2017-12-10
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-apt (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
unattended-upgrades (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]
Some applications, like unattended-upgrades or update-manager, reopen the apt cache. They also keep around old apt.Package objects however, and operate on them after reopening. Under the hood, this means that apt_pkg.Package objects belonging to an old cache are passed to a new cache.

APT relies on the ID of the package (it's position in the cache) for it's operation. So if a package has ID 0 in the old cache, and a different package has ID 0 in the new cache, performing operations on the old package would perform it on the new package. If the old package's ID is out of bounds in the new cache, the behavior is undefined - it's an out of bounds array access.

[Test case]
The attached test case has a list of packages 0-9, a-z; stores the package "z" into a variable, then reopens the cache. It then marks z for deletion. This either segfaults or does nothing; when it should mark z for deletion.

More test cases like this are in the autopkgtest.

[Regression potential]
The initial fix introduced bug 1780099, there might be similar bugs lurking. However, these bugs would have been undefined behavior before and might have caused segmentation faults or did the wrong thing. It seems likely that any regression cannot possibly be worse than the current state.

[Other info]
The xenial SRU also includes the change "python/tag.cc: Fix invalid read in TagFileNext". We don't have any specific verification for it, as we just saw weird crashes on the error tracker, and this seemed like the culprit. We released bionic with it, and it seems fine. The fix is fairly obvious: We were copying the char array "Start" which was not nul terminated in an odd way, without using the lenght.

[Original bug report]
The Ubuntu Error Tracker has been receiving reports about a problem regarding unattended-upgrades. This problem was most recently seen with package version 0.98ubuntu1, the problem page at https://errors.ubuntu.com/problem/727153285ba3335a07f801a298a3d94cbe6ba05d contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports.
If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/.

Balint Reczey (rbalint) on 2017-12-10
Changed in unattended-upgrades (Ubuntu):
status: New → Invalid
Julian Andres Klode (juliank) wrote :

I'm not sure what's going on here. Maybe it's deleting the cachefile twice somehow. It's just straight-forward destructors. Very odd.

Changed in python-apt (Ubuntu):
status: New → Triaged
status: Triaged → Confirmed
Balint Reczey (rbalint) wrote :

There are a few other crashes in apt reported for u-u at errors.ubuntu.com, they may be hold more useful information.

tags: added: id-5a8ef5f4d8bb16ec254dc10f
Balint Reczey (rbalint) on 2018-03-29
Changed in python-apt (Ubuntu Bionic):
status: Confirmed → In Progress
Julian Andres Klode (juliank) wrote :

This is a problem in unattended-upgrades reusing apt.Version objects after reopening the cache.

python-apt does not verify that objects like versions passed to apt_pkg.DepCache belong to the same cache. Hence we get out of bounds writes and memory corruption if these reference cache objects with IDs outside of the cache range (like dependency 1024 in a cache with 100 dependencies), or, maybe even worse, we mark the wrong things (like set the candidate for an entirely different package). Hence this was not detected. I added checks to python-apt now to detect this situation where possible, and will release that shortly.

Changed in unattended-upgrades (Ubuntu Bionic):
status: Invalid → Triaged
Changed in unattended-upgrades (Ubuntu Bionic):
status: Triaged → In Progress
Changed in python-apt (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.6.0~rc2ubuntu2

---------------
python-apt (1.6.0~rc2ubuntu2) bionic; urgency=medium

  * apt/auth.py: Protect against race with gpg when removing tmpdir
    (Closes: #871585)
  * Document Architecture: all handling in Package.{fullname,architecture()}
    (Closes: #863193)
  * python/tag.cc: Fix invalid read in TagFileNext
  * Raise ValueError if objects passed to DepCache are from different cache
    (LP: #1737441)

 -- Julian Andres Klode <email address hidden> Thu, 12 Apr 2018 11:22:27 +0200

Changed in python-apt (Ubuntu Bionic):
status: Fix Committed → Fix Released
Balint Reczey (rbalint) on 2018-04-19
Changed in unattended-upgrades (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1

---------------
unattended-upgrades (1.1ubuntu1) bionic; urgency=medium

  * Merge from Debian unstable (LP: #1764797)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Rename d/NEWS.Debian to d/NEWS to have it shipped
      - Fix typo in NEWS file
      - d/rules: Exclude mypy cache from source package.

unattended-upgrades (1.1) unstable; urgency=medium

  [ cgail914 ]
  * Update 50unattended-upgrades.Raspbian
    added a semi-column sign on line 86 to facilitate uncommenting the line
    for users and not end up with an error message when running
    unattended-upgrades. And make the whole file consistent.

  [ Tobias Bannert ]
  * completed german translation

  [ Simon McVittie ]
  * d/rules: Exclude mypy cache from source package.

  [ Julian Andres Klode ]
  * Do not reuse old apt.Version objects after reopening cache (LP: #1737441)

  [ Balint Reczey ]
  * Rename d/NEWS.Debian to d/NEWS to have it shipped
  * Fix typo in NEWS file
  * Add missing semicolon to commented-out Remove-Unused-Kernel-Packages option
  * Set UnattendedUpgradesCache.allowed_origins before calling
    apt.Cache.__init__()
  * Find package candidates to adjust sweeping through all packages only once.
    Later reuse the list candidates and filter out packages installed in the
    meantime. Thanks to Julian Andres Klode for the original patch
  * Use updated python-apt in upgrade-between-snapshots test
  * upgrade-between-snapshots: Mount /proc, too, in the chroot.
    Also clean up chroot properly on exit.
  * upgrade-between-snapshots: Use http_proxy environment variable in chroot,
    too
  * upgrade-between-snapshots: Remove packages installed as the side-effect of
    updating apt and python-apt
  * Ignore errors from compiling backported packages
  * Make is_autoremove_valid() nondestructive.
    Also fix autoremoval of packages when one package can't be removed and
    keeps back other package removals due to missing cache.clear()
  * Fix tracking removed packages
  * Suggest default-mta | mail-transport-agent to keep Lintian happy

  [ Michael Vogt ]
  * unattanded-upgrades: refactor get_candidates_to_adjust() to
    adjust_candidates()

 -- Balint Reczey <email address hidden> Tue, 17 Apr 2018 16:53:30 +0200

Changed in unattended-upgrades (Ubuntu Bionic):
status: Fix Committed → Fix Released
description: updated
description: updated
Changed in python-apt (Ubuntu Xenial):
status: New → Triaged
Changed in unattended-upgrades (Ubuntu Trusty):
status: New → Won't Fix
Changed in unattended-upgrades (Ubuntu Xenial):
status: New → Won't Fix
Julian Andres Klode (juliank) wrote :

Test case for xenial / trusty

Changed in python-apt (Ubuntu Xenial):
status: Triaged → In Progress
summary: - /usr/bin/unattended-
- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
+ python-apt crashes if objects of one cache are passed to depcache
+ belonging to another cache
description: updated

Hello errors.ubuntu.com, or anyone else affected,

Accepted python-apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in python-apt (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Robie Basak (racb) wrote :

Hello errors.ubuntu.com, or anyone else affected,

Accepted python-apt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-apt/0.9.3.5ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Julian Andres Klode (juliank) wrote :

The updates work fine, as can be seen by the autopkgtest, and a manual run also confirms it:

= xenial =

$ run test
Changed []
<..crash..>
$ add proposed and upgrade
Unpacking python3-apt (1.1.0~beta1ubuntu0.16.04.2) over (1.1.0~beta1ubuntu0.16.04.1)
$ run test
Changed [<Package: name:'z' architecture='amd64' id:1>]

= trusty =

$ run test
Changed []
<..crash..>
$ add proposed and upgrade
Unpacking python3-apt (0.9.3.5ubuntu3) over (0.9.3.5ubuntu2) ...
$ run test
Changed [<Package: name:'z' architecture='amd64' id:1>]

tags: added: verification-done verification-done-trusty verification-done-xenial
removed: verification-needed verification-needed-trusty verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.1.0~beta1ubuntu0.16.04.2

---------------
python-apt (1.1.0~beta1ubuntu0.16.04.2) xenial; urgency=medium

  * python/tag.cc: Fix invalid read in TagFileNext
  * DepCache: Check that candidate we are setting belongs to package
  * Raise CacheMismatchError if objects passed to DepCache are from different cache
    (LP: #1737441); also includes the following regression fixes from bionic:
    - apt.Cache: Remap objects when reopening cache (LP: 1773316 in bionic+), incl. regression fixes:
      + Add more extensive test cases for cache remapping
      + Regression fix: Do not override __hash__ in apt.package.Package (LP: 1780099 in bionic+)
  * CI / pre-build / data changes:
    - Replace broken travis CI integration with current docker-based one
    - utils/get_debian_mirrors.py: Get data from salsa (for pre-build hook)
    - debian/control: Point to salsa instead of anonscm
    - debian/gbp.conf: Point to 1.1.y-xenial branch
    - Updated mirror list

 -- Julian Andres Klode <email address hidden> Tue, 10 Jul 2018 12:47:50 +0200

Changed in python-apt (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for python-apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 0.9.3.5ubuntu3

---------------
python-apt (0.9.3.5ubuntu3) trusty-proposed; urgency=medium

  * DepCache: Check that candidate we are setting belongs to package
  * Raise CacheMismatchError if objects passed to DepCache are from different cache
    (LP: #1737441); also includes the following regression fixes from bionic:
    - apt.Cache: Remap objects when reopening cache (LP: 1773316 in bionic+), incl. regression fixes:
      + Add more extensive test cases for cache remapping
      + Regression fix: Do not override __hash__ in apt.package.Package (LP: 1780099 in bionic+)
  * CI / pre-build / data changes:
    - Replace broken travis CI integration with current docker-based one
    - utils/get_debian_mirrors.py: Get data from salsa (for pre-build hook)
    - debian/control: Point to salsa instead of anonscm
    - debian/gbp.conf: Point to ubuntu/trusty branch
    - Updated mirror list

 -- Julian Andres Klode <email address hidden> Tue, 10 Jul 2018 16:59:07 +0200

Changed in python-apt (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments