segfault in src/libgit2/remote.c:validate_custom_headers

[JanZerebecki]

Reproduction steps

libgit2 segfaults during cargo audit trying to fetch audit db. Tried updating from https://github.com/RustSec/advisory-db via git pull cmd resulted in 9738835..67704dc but didn't change that libgit still segfaults.

Expected behavior

Not segfault.

Actual behavior

> > gdb cargo-audit
> (gdb) run audit
> Starting program: /usr/bin/cargo-audit audit
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
>     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
> 
> Program received signal SIGSEGV, Segmentation fault.
> validate_custom_headers (custom_headers=<optimized out>) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:847
> Downloading 0.07 MB source file /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c
> 847                     if (is_malformed_http_header(custom_headers->strings[i])) {                                                                                                                               
> (gdb) bt
> #0  validate_custom_headers (custom_headers=<optimized out>) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:847
> #1  git_remote_connect_options_normalize (dst=dst@entry=0x7fffffffc330, repo=0x555555b05e90, src=0x7fffffffc3f0) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:914
> #2  0x00007ffff7f208aa in connect_opts_from_fetch_opts (remote=0x555555b07fa0, remote=0x555555b07fa0, fetch_opts=0x7fffffffc668, out=0x7fffffffc330) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:1243
> #3  git_remote_fetch (remote=0x555555b07fa0, refspecs=0x7fffffffc580, opts=0x7fffffffc668, reflog_message=0x0) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:1361
> #4  0x000055555560e48f in git2::remote::Remote::fetch<&str> (self=<optimized out>, refspecs=..., opts=..., reflog_msg=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/git2/src/remote.rs:286
> #5  0x0000555555612903 in rustsec::repository::git::repository::{impl#0}::fetch::{closure#0}<&std::path::PathBuf> (f=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/repository.rs:94
> #6  0x00005555556132a7 in rustsec::repository::git::authentication::with_authentication<(), rustsec::repository::git::repository::{impl#0}::fetch::{closure#0}> (url=..., cfg=0x7fffffffcf98, f=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/authentication.rs:48
> #7  0x000055555562a0b5 in rustsec::repository::git::repository::Repository::fetch<&std::path::PathBuf> (url=..., into_path=<optimized out>, ensure_fresh=<optimized out>)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/repository.rs:77
> #8  0x0000555555614521 in cargo_audit::auditor::Auditor::new (config=0x555555995220 <cargo_audit::application::APPLICATION+24>) at cargo-audit/src/auditor.rs:52
> #9  0x0000555555622405 in cargo_audit::commands::audit::AuditCommand::auditor (self=<optimized out>) at cargo-audit/src/commands/audit.rs:260
> #10 cargo_audit::commands::audit::{impl#2}::run (self=<optimized out>) at cargo-audit/src/commands/audit.rs:239
> #11 0x0000555555624dc7 in cargo_audit::commands::_DERIVE_Runnable_FOR_CargoAuditCommand::{impl#0}::run (self=0x7fffffffc240) at cargo-audit/src/commands.rs:16
> #12 0x00005555556033a9 in abscissa_core::command::entrypoint::{impl#1}::run<cargo_audit::commands::CargoAuditCommand> (self=0x7fffffffddd8)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/command/entrypoint.rs:52
> #13 abscissa_core::application::Application::run<cargo_audit::application::CargoAuditApplication, std::env::Args> (app_cell=0x555555995208 <cargo_audit::application::APPLICATION>, args=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/application.rs:64
> #14 0x000055555560071b in abscissa_core::application::boot<cargo_audit::application::CargoAuditApplication> (app_cell=0x555555995208 <cargo_audit::application::APPLICATION>)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/application.rs:196
> #15 0x00005555555fdc0d in cargo_audit::main () at cargo-audit/src/bin/cargo-audit/main.rs:9
> (gdb)

Seems like something that should not happen. But I haven't looked closely, yet.

Version of libgit2 (release number or SHA1)

Information for package libgit2-1_4:

Repository : tumbleweed-oss
Name : libgit2-1_4
Version : 1.4.1-1.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 1,3 MiB
Installed : Yes (automatically)
Status : up-to-date
Source package : libgit2-1.4.1-1.1.src
Upstream URL : https://libgit2.github.com/

Downstream doesn't carry any patches: https://build.opensuse.org/package/show/openSUSE:Factory/libgit2

Information for package cargo-audit:

Repository : tumbleweed-oss
Name : cargo-audit
Version : 0.16.0~git0.625c965-2.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 4,3 MiB
Installed : Yes (automatically)
Status : up-to-date
Source package : cargo-audit-0.16.0~git0.625c965-2.1.src
Upstream URL : https://github.com/RustSec/cargo-audit

Operating system(s) tested

OpenSUSE Tumbleweed

Downstream tracking at: https://bugzilla.opensuse.org/show_bug.cgi?id=1197232

[ethomson]

I strongly suspect that this is because git2-rs was not paying attention to SOVERSION.

[JanZerebecki]

Oh. Thx. I suspect it was built against the vendored source but run against the system lib.

[ethomson]

Closing this - please let me know if you're still seeing it.