Bug#982454: lvm2: vgremove segfaults in libc-2.24.so

[Bernhard Übelacker]

Dear Maintainer,
I tried to reproduce the issue and got a segfault [2]
when trying to vgremove inside a i386 qemu VM
with version lvm2 2.02.168-2.
Attached file contains the steps taken.

This upstream commit sounds related. [1]

Kind regards,
Bernhard


[1] lvmetad: fix segfault on i386
    
https://sourceware.org/git/?p=lvm2.git;a=commit;h=46b735c937ce68e72d08997635321bf30240325d
    
https://sourceware.org/git/?p=lvm2.git;a=patch;h=46b735c937ce68e72d08997635321bf30240325d


[2]
    (gdb) bt
    #0  __strchr_sse2_bsf () at 
../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
    #1  0x0050b29f in config_make_nodes_v (cft=0x64fae0, parent=0x0, pre_sib=0x64fd48, 
ap=0xbffff92c "\365\nP") at config-util.c:248
    #2  0x0050c5f7 in daemon_request_extend_v (r=..., ap=0xbffff90c 
"\354\224U") at daemon-client.c:218
    #3  0x004fe622 in _lvmetad_send (cmd=0x606840, id=<optimized out>) at 
cache/lvmetad.c:435
    #4  0x00500b6c in lvmetad_vg_remove_pending (vg=0x66aa28) at 
cache/lvmetad.c:1304
    #5  0x004b366c in vg_remove_direct (vg=0x66aa28) at metadata/metadata.c:571
    #6  0x004b3d3c in vg_remove (vg=0x66aa28) at metadata/metadata.c:634
    #7  0x00455815 in vgremove_single (cmd=0x606840, vg_name=0x648978 "raid1", 
vg=0x66aa28, handle=0x648980) at vgremove.c:79
    #8  0x004488b1 in _process_vgnameid_list (process_single_vg=0x455660 
<vgremove_single>, handle=0x648980, arg_tags=0xbffffb10, 
arg_vgnames=0xbffffb18, vgnameids_to_process=0xbffffb28, read_flags=1048576, 
cmd=0x606840) at toollib.c:1964
    #9  process_each_vg (cmd=<optimized out>, argc=<optimized out>, argv=<optimized out>, 
one_vgname=<optimized out>, use_vgnames=<optimized out>, read_flags=1048576, include_internal=<optimized 
out>, handle=0x648980, process_single_vg=<optimized out>) at toollib.c:2277
    #10 0x00455949 in vgremove (cmd=<optimized out>, argc=<optimized out>, 
argv=<optimized out>) at vgremove.c:112
    #11 0x004337ee in lvm_run_command (cmd=<optimized out>, argc=<optimized out>, 
argv=<optimized out>) at lvmcmdline.c:1723
    #12 0x0043455d in lvm2_main (argc=2, argv=0xbffffdf4) at lvmcmdline.c:2249
    #13 0x0041a537 in main (argc=2, argv=0xbffffdf4) at lvm.c:22

# Stretch/oldstable i386 qemu VM 2021-02-28


apt update
apt dist-upgrade

apt install gdb lvm2 lvm2-dbgsym
apt build-dep lvm2




mkdir /home/benutzer/source/lvm2/orig -p
cd    /home/benutzer/source/lvm2/orig
apt source lvm2
cd






dd if=/dev/zero of=test0 bs=100M count=1
dd if=/dev/zero of=test1 bs=100M count=1

losetup loop0 test0
losetup loop1 test1

pvcreate /dev/loop0
pvcreate /dev/loop1

pvdisplay


mkdir /dev/testvg
mknod /dev/testvg/group c 128 0x0000
vgcreate raid1 /dev/loop0 /dev/loop1
vgremove raid1




root@debian:~# vgremove raid1
Speicherzugriffsfehler

root@debian:~# gdb -q --args vgremove raid1
Reading symbols from vgremove...(no debugging symbols found)...done.
(gdb) run
Starting program: /sbin/vgremove raid1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
97      ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S: Datei oder 
Verzeichnis nicht gefunden.
(gdb) bt
#0  __strchr_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
#1  0x0050b29f in config_make_nodes_v ()
#2  0x0050c5f7 in daemon_request_extend_v ()
#3  0x004fe622 in ?? ()
#4  0x00500b6c in lvmetad_vg_remove_pending ()
#5  0x004b366c in vg_remove_direct ()
#6  0x004b3d3c in vg_remove ()
#7  0x00455815 in ?? ()
#8  0x004488b1 in process_each_vg ()
#9  0x00455949 in vgremove ()
#10 0x004337ee in lvm_run_command ()
#11 0x0043455d in lvm2_main ()
#12 0x0041a537 in main ()







root@debian:~# gdb -q --args vgremove raid1
Reading symbols from vgremove...Reading symbols from 
/usr/lib/debug/.build-id/e2/859cb481b1f0a843f9d2667c790dba3f2fc901.debug...done.
done.
(gdb) run
Starting program: /sbin/vgremove raid1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
97      ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S: Datei oder 
Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/source/lvm2/orig/lvm2-2.02.168/libdaemon/client
Source directories searched: 
/home/benutzer/source/lvm2/orig/lvm2-2.02.168/libdaemon/client:$cdir:$cwd
(gdb) directory /home/benutzer/source/lvm2/orig/lvm2-2.02.168/lib
(gdb) bt
#0  __strchr_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strchr-sse2-bsf.S:97
#1  0x0050b29f in config_make_nodes_v (cft=0x64fae0, parent=0x0, 
pre_sib=0x64fd48, ap=0xbffff92c "\365\nP") at config-util.c:248
#2  0x0050c5f7 in daemon_request_extend_v (r=..., ap=0xbffff90c "\354\224U") at 
daemon-client.c:218
#3  0x004fe622 in _lvmetad_send (cmd=0x606840, id=<optimized out>) at 
cache/lvmetad.c:435
#4  0x00500b6c in lvmetad_vg_remove_pending (vg=0x66aa28) at 
cache/lvmetad.c:1304
#5  0x004b366c in vg_remove_direct (vg=0x66aa28) at metadata/metadata.c:571
#6  0x004b3d3c in vg_remove (vg=0x66aa28) at metadata/metadata.c:634
#7  0x00455815 in vgremove_single (cmd=0x606840, vg_name=0x648978 "raid1", 
vg=0x66aa28, handle=0x648980) at vgremove.c:79
#8  0x004488b1 in _process_vgnameid_list (process_single_vg=0x455660 
<vgremove_single>, handle=0x648980, arg_tags=0xbffffb10, 
arg_vgnames=0xbffffb18, vgnameids_to_process=0xbffffb28, read_flags=1048576, 
cmd=0x606840) at toollib.c:1964
#9  process_each_vg (cmd=<optimized out>, argc=<optimized out>, argv=<optimized 
out>, one_vgname=<optimized out>, use_vgnames=<optimized out>, 
read_flags=1048576, include_internal=<optimized out>, handle=0x648980, 
process_single_vg=<optimized out>) at toollib.c:2277
#10 0x00455949 in vgremove (cmd=<optimized out>, argc=<optimized out>, 
argv=<optimized out>) at vgremove.c:112
#11 0x004337ee in lvm_run_command (cmd=<optimized out>, argc=<optimized out>, 
argv=<optimized out>) at lvmcmdline.c:1723
#12 0x0043455d in lvm2_main (argc=2, argv=0xbffffdf4) at lvmcmdline.c:2249
#13 0x0041a537 in main (argc=2, argv=0xbffffdf4) at lvm.c:22
(gdb) up
#1  0x0050b29f in config_make_nodes_v (cft=0x64fae0, parent=0x0, 
pre_sib=0x64fd48, ap=0xbffff92c "\365\nP") at config-util.c:248
248                     fmt = strchr(next, '=');
(gdb) info local
next = 0x40 <error: Cannot access memory at address 0x40>
first = 0x64fca8
cn = 0x0
fmt = <optimized out>
key = <optimized out>
(gdb) list
243             const char *fmt;
244             char *key;
245
246             while ((next = va_arg(ap, char *))) {
247                     cn = NULL;
248                     fmt = strchr(next, '=');
249
250                     if (!fmt) {
251                             log_error(INTERNAL_ERROR "Bad format string 
'%s'", fmt);
252                             return NULL;

https://sources.debian.org/src/lvm2/2.02.168-2/libdaemon/client/config-util.c/#L248

(gdb) up
#2  0x0050c5f7 in daemon_request_extend_v (r=..., ap=0xbffff90c "\354\224U") at 
daemon-client.c:218
218             res = config_make_nodes_v(r.cft, NULL, r.cft->root, apc) ? 1 : 
0;

https://sources.debian.org/src/lvm2/2.02.168-2/libdaemon/client/daemon-client.c/#L218

(gdb) up
#3  0x004fe622 in _lvmetad_send (cmd=0x606840, id=<optimized out>) at 
cache/lvmetad.c:435
435             daemon_request_extend_v(req, ap);

https://sources.debian.org/src/lvm2/2.02.168-2/lib/cache/lvmetad.c/#L435

(gdb) up
#4  0x00500b6c in lvmetad_vg_remove_pending (vg=0x66aa28) at 
cache/lvmetad.c:1304
1304            reply = _lvmetad_send(vg->cmd, "set_vg_info",
(gdb) list
1299                    return_0;
1300
1301            /* Sending version/seqno 0 in set_vg_info will set the INVALID 
flag. */
1302
1303            log_debug_lvmetad("Sending lvmetad pending remove VG %s", 
vg->name);
1304            reply = _lvmetad_send(vg->cmd, "set_vg_info",
1305                                  "name = %s", vg->name,
1306                                  "uuid = %s", uuid,
1307                                  "version = %d", 0,
1308                                  NULL);

https://sources.debian.org/src/lvm2/2.02.168-2/lib/cache/lvmetad.c/#L1304








gdb -q --args vgremove raid1
set width 0
set pagination off
directory /home/benutzer/source/lvm2/orig/lvm2-2.02.168/libdaemon/client
directory /home/benutzer/source/lvm2/orig/lvm2-2.02.168/lib
b lvmetad_vg_remove_pending
run
record
cont







root@debian:~# dpkg -l | grep lvm
ii  liblvm2app2.2:i386               2.02.168-2                        i386     
    LVM2 application library
ii  liblvm2cmd2.02:i386              2.02.168-2                        i386     
    LVM2 command library
ii  lvm2                             2.02.168-2                        i386     
    Linux Logical Volume Manager
ii  lvm2-dbgsym                      2.02.168-2                        i386     
    Debug symbols for lvm2




https://sourceware.org/git/?p=lvm2.git;a=commit;h=46b735c937ce68e72d08997635321bf30240325d
https://sourceware.org/git/?p=lvm2.git;a=patch;h=46b735c937ce68e72d08997635321bf30240325d