On Sat, 28 Jul 2018 17:57:54 +0800 Ben Hutchings wrote:
The double-free bug in zutils zcat is presumably still unfixed, so I'm cloning a separate bug for that.
A double-free bug in zutils' zcat is not probable because zutils' zcat is a C++ program that does not use neither malloc nor free. But just in case, I have tested it for several hours with valgrind and I have been unable to find any bug.
Moreover, I do not remember anybody reporting any double-free bug in zutils' zcat. The original reporter at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903931#5 states that zcat is not the problem:
"Notice that even when it [unmkinitramfs] aborts, the "guilty" initrd file is perfectly fine and it can uncrompressed with gunzip or with zcat".
I'm leaving #903931 assigned to initramfs-tools since I might as well work around the zcat incompatibility.
You should because 'zcat -t' is not a valid way to test .gz file type. Zutils' zcat is not the only multi-format zcat out there, and a posix zcat would also fail.
The problem is probably that unmkinitramfs is feeding random data to cpio by not using the standard command 'gzip -t' to test .gz file type. I have tested it and when feed random data, my somewhat old version of cpio not only accesses unaddressable memory, in one case it has even extracted a random file with random contents and random permissions. Therefore unmkinitramfs should be careful in testing the file format, as noted at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903931#81
==4679== Syscall param read(buf) points to unaddressable byte(s) ==4679== at 0x5117B60: __read_nocancel (syscall-template.S:81) ==4679== by 0x418435: ??? (in /bin/cpio) ==4679== by 0x40CB33: ??? (in /bin/cpio) ==4679== by 0x4054CA: ??? (in /bin/cpio) ==4679== by 0x405945: process_copy_in (in /bin/cpio) ==4679== by 0x40AE4F: ??? (in /bin/cpio) ==4679== by 0x505BEDF: (below main) (libc-start.c:258) ==4679== Address 0x560ae10 is 0 bytes after a block of size 1,024 alloc'd ==4679== at 0x4C28B2D: malloc (vg_replace_malloc.c:299) ==4679== by 0x418D68: ??? (in /bin/cpio) ==4679== by 0x40AD1B: ??? (in /bin/cpio) ==4679== by 0x40AE44: ??? (in /bin/cpio) ==4679== by 0x505BEDF: (below main) (libc-start.c:258) ==4679== cpio: premature end of archive Best regards, Antonio.
