rsync icon indicating copy to clipboard operation
rsync copied to clipboard
verified publisher icon WayneD

segfault in write_sparse

Open sudhackar opened this issue 1 year ago • 2 comments

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093696 - @martinvonwittich (hi!) and then some analysis on discord

simple repro

#!/bin/bash

rsync -e 'ssh -o LogLevel=ERROR -o BatchMode=yes' -aH -A --sparse --partial-dir=/tmp/partial.1 sec-noble-server-amd64:/sys/bus/usb/drivers_autoprobe /tmp/partial/

for gdb

set follow-fork-mode parent
break fork
r -e 'ssh -o LogLevel=ERROR -o BatchMode=yes' -aH -A --sparse --partial-dir=/tmp/partial.1 sec-noble-server-amd64:/sys/bus/usb/drivers_autoprobe /tmp/partial/
continue
set follow-fork-mode child
continue

and then

$ gdb -x /tmp/gdbssh ./rsync

The root cause can be, with --sparse and

int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
{
	if (!relpath || relpath[0] == '/') {
		// must be a relative path
		fprintf(stderr, "Error: relpath must be a relative path %s\n", relpath);
		errno = EINVAL;
		return -1;
	}

fails for path

Error: relpath must be a relative path /tmp/partial.1/drivers_autoprobe

pwndbg> bt
#0  0x000055555559f3a4 in write_sparse (len=700, buf=0x0, offset=0, use_seek=<optimized out>, f=<optimized out>) at fileio.c:83
#1  write_file (f=f@entry=4, use_seek=use_seek@entry=1, offset=offset@entry=0, buf=buf@entry=0x0, len=len@entry=700) at fileio.c:157
#2  0x000055555559f6ff in skip_matched (fd=fd@entry=4, offset=offset@entry=0, buf=buf@entry=0x0, len=len@entry=700) at fileio.c:197
#3  0x0000555555572ce3 in receive_data (f_in=f_in@entry=6, fname_r=fname_r@entry=0x5555555f0820 <partial_fname> "/tmp/partial.1/drivers_autoprobe", fd_r=fd_r@entry=-1, size_r=<optimized out>,
    fname=fname@entry=0x7fffffff61a0 "drivers_autoprobe", fd=fd@entry=4, file=0x7ffff7e10fe0, inplace_sizing=1) at receiver.c:363
#4  0x0000555555573e8a in recv_files (f_in=f_in@entry=6, f_out=f_out@entry=7, local_name=local_name@entry=0x0) at receiver.c:892
#5  0x0000555555580365 in do_recv (f_in=f_in@entry=6, f_out=7, f_out@entry=5, local_name=local_name@entry=0x0) at main.c:1056
#6  0x0000555555580ef7 in client_run (f_in=6, f_out=5, pid=pid@entry=685192, argc=argc@entry=1, argv=argv@entry=0x5555555f5be8) at main.c:1370
#7  0x000055555555f4da in start_client (argv=0x5555555f5be8, argc=1) at main.c:1588
#8  main (argc=<optimized out>, argc@entry=9, argv=<optimized out>, argv@entry=0x7fffffffd4b8) at main.c:1848
#9  0x00007ffff742a1ca in __libc_start_call_main (main=main@entry=0x55555555ee20 <main>, argc=argc@entry=9, argv=argv@entry=0x7fffffffd4b8) at ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x00007ffff742a28b in __libc_start_main_impl (main=0x55555555ee20 <main>, argc=9, argv=0x7fffffffd4b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd4a8) at ../csu/libc-start.c:360
#11 0x0000555555561275 in _start ()

write_sparse is now attempting to write to buf=NULL, fd_r for receive_data is -1.

sudhackar avatar Jan 22 '25 07:01 sudhackar

I haven't been able to reproduce this yet, still trying

tridge avatar Jan 24 '25 20:01 tridge

@tridge I have a very similar issue maybe you can reproduce? see https://github.com/RsyncProject/rsync/issues/715#issuecomment-2624118782

GuillaumeHullin avatar Jan 30 '25 21:01 GuillaumeHullin