Bug#366717: Method http has died unexpectedly (Packages/DiffIndex)

[Jurij Smakov]

tags 366717 patch
thanks

Hi,
This is indeed due to an unaligned access in /usr/lib/apt/methods/http. A 
more complete backtrace:

(gdb) bt
#0  0xf7e4b5dc in LOAD_OP (I=0, W=0xff1f534c,
    input=0x31d2b "  `\n2.0\ncontrol.tar.gz  1142247192  0     0 
100644  2022      `\n\037\213\b") at contrib/sha256.cc:64
#1  0xf7e4b794 in sha256_transform (state=0x59318,
    input=0x31d2b "  `\n2.0\ncontrol.tar.gz  1142247192  0     0 
100644  2022      `\n\037\213\b") at contrib/sha256.cc:80
#2  0xf7e4f640 in SHA256Summation::Add (this=0x59310,
    data=0x31ceb "!<arch>\ndebian-binary   1142247192  0     0     100644 
4         `\n2.0\ncontrol.tar.gz  1142247192  0     0     100644  2022 
`\n\037\213\b",
    len=1448) at contrib/sha256.cc:274
#3  0x00019bf4 in Hashes::Add (this=0x59248,
    Data=0x31ceb "!<arch>\ndebian-binary   1142247192  0     0     100644 
4         `\n2.0\ncontrol.tar.gz  1142247192  0     0     100644  2022 
`\n\037\213\b",
    Size=1448) at hashes.h:38
#4  0x00013b40 in CircleBuf::Write (this=0x30cdc, Fd=4) at http.cc:226
#5  0x00016150 in HttpMethod::Go (this=0xff1f59a4, ToFile=true, Srv=0x30b48)
    at http.cc:799
#6  0x00016a54 in ServerState::RunData (this=0x30b48) at http.cc:497
#7  0x00018f64 in HttpMethod::Loop (this=0xff1f59a4) at http.cc:1143
#8  0x000193bc in main () at http.cc:1231

Offending code in contrib/sha256.cc:

62 static inline void LOAD_OP(int I, u32 *W, const u8 *input)
63 {
64         W[I] = ntohl( ((u32*)(input))[I] );
65 }

input is u8, so there are no restrictions on its alignment. When an 
attempt is made to cast it into u32, an unaligned access may result.

A quick-n-dirty patch is attached. It ensures that input array passed to 
LOAD_OP is always aligned on a 4-byte boundary by memcpy()'ing it into 
correctly aligned array before the call. I *believe* that 
sha256_transform() uses at most first 16*4=64 bytes of input array, so 
it's sufficient to memcpy() only that, but it would be nice if someone 
could actually look it over (or come up with a cleaner solution, that 
would work too :-).

Best regards,

Jurij Smakov                                        [EMAIL PROTECTED]
Key: http://www.wooyd.org/pgpkey/                   KeyID: C99E03CCdiff -aur a/apt-pkg/contrib/sha256.cc b/apt-pkg/contrib/sha256.cc
--- a/apt-pkg/contrib/sha256.cc 2006-03-29 17:01:29.000000000 -0800
+++ b/apt-pkg/contrib/sha256.cc 2006-05-11 23:55:12.000000000 -0700
@@ -72,12 +72,14 @@
 static void sha256_transform(u32 *state, const u8 *input)
 {
         u32 a, b, c, d, e, f, g, h, t1, t2;
-        u32 W[64];
+        u32 W[64], aligned[16];
         int i;
 
+       /* make sure that we are word-aligned */
+       memcpy(aligned, input, 16*sizeof(u32));
         /* load the input */
         for (i = 0; i < 16; i++)
-                LOAD_OP(i, W, input);
+                LOAD_OP(i, W, (u8 *) aligned);
 
         /* now blend */
         for (i = 16; i < 64; i++)