Fix an invalid memory access when dropping an item in MergedTransaction class

Resolves: RHEL-33541
2024-06-11 15:25:32 +02:00 · 2024-06-11 15:25:32 +02:00 · b8336f167d
commit b8336f167d
parent dfba66e0b4
2 changed files with 94 additions and 0 deletions
--- a/0003-MergedTransaction-Fix-invalid-memory-access-when-dro.patch
+++ b/0003-MergedTransaction-Fix-invalid-memory-access-when-dro.patch
@ -0,0 +1,91 @@
+From 90d2ffad964a91a7a798b81e15c16eb1e840f257 Mon Sep 17 00:00:00 2001
+From: Jan Kolarik <jkolarik@redhat.com>
+Date: Tue, 23 Apr 2024 14:11:19 +0000
+Subject: [PATCH] MergedTransaction: Fix invalid memory access when dropping
+ items
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When an item is dropped from the merged transaction, the `ItemPair` reference becomes invalid and should no longer be used.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libdnf/transaction/MergedTransaction.cpp | 18 +++++++++++-------
+ libdnf/transaction/MergedTransaction.hpp |  2 +-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/libdnf/transaction/MergedTransaction.cpp b/libdnf/transaction/MergedTransaction.cpp
+index 8f26882f..75d2c1e7 100644
+--- a/libdnf/transaction/MergedTransaction.cpp
+++ b/libdnf/transaction/MergedTransaction.cpp
+@@ -264,14 +264,15 @@ getItemIdentifier(ItemPtr item)
+ 
+ /**
+  * Resolve the difference between RPMs in the first and second transaction item
+- *  and create a ItemPair of Upgrade, Downgrade or drop the item from the merged
+- *  transaction set in case of both packages are of the same version.
+- * Method is called when original package is being removed and than installed again.
+ *  and create a ItemPair of Upgrade, Downgrade or remove the item from the merged
+ *  transaction set in case of both packages are the same.
+ * Method is called when original package is being removed and then installed again.
+  * \param itemPairMap merged transaction set
+  * \param previousItemPair original item pair
+  * \param mTransItem new transaction item
+ * \return true if the original and new transaction item differ
+  */
+-void
+bool
+ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+                                         ItemPair &previousItemPair,
+                                         TransactionItemBasePtr mTransItem)
+@@ -287,7 +288,7 @@ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+         firstRPM->getRelease() == secondRPM->getRelease()) {
+         // Drop the item from merged transaction
+         itemPairMap.erase(getItemIdentifier(firstItem));
+-        return;
+        return false;
+     } else if ((*firstRPM) < (*secondRPM)) {
+         // Upgrade to secondRPM
+         previousItemPair.first->setAction(TransactionItemAction::UPGRADED);
+@@ -298,6 +299,7 @@ MergedTransaction::resolveRPMDifference(ItemPairMap &itemPairMap,
+         mTransItem->setAction(TransactionItemAction::DOWNGRADE);
+     }
+     previousItemPair.second = mTransItem;
+    return true;
+ }
+ 
+ void
+@@ -308,12 +310,14 @@ MergedTransaction::resolveErase(ItemPairMap &itemPairMap,
+     /*
+      * The original item has been removed - it has to be installed now unless the rpmdb
+      *  has changed. Resolve the difference between packages and mark it as Upgrade,
+-     *  Reinstall or Downgrade
+     *  Downgrade or remove it from the transaction
+      */
+     if (mTransItem->getAction() == TransactionItemAction::INSTALL) {
+         if (mTransItem->getItem()->getItemType() == ItemType::RPM) {
+             // resolve the difference between RPM packages
+-            resolveRPMDifference(itemPairMap, previousItemPair, mTransItem);
+            if (!resolveRPMDifference(itemPairMap, previousItemPair, mTransItem)) {
+                return;
+            }
+         } else {
+             // difference between comps can't be resolved
+             mTransItem->setAction(TransactionItemAction::REINSTALL);
+diff --git a/libdnf/transaction/MergedTransaction.hpp b/libdnf/transaction/MergedTransaction.hpp
+index f85b133a..50212159 100644
+--- a/libdnf/transaction/MergedTransaction.hpp
+++ b/libdnf/transaction/MergedTransaction.hpp
+@@ -76,7 +76,7 @@ protected:
+     typedef std::map< std::string, ItemPair > ItemPairMap;
+ 
+     void mergeItem(ItemPairMap &itemPairMap, TransactionItemBasePtr transItem);
+-    void resolveRPMDifference(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+    bool resolveRPMDifference(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+     void resolveErase(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+     void resolveAltered(ItemPairMap &itemPairMap, ItemPair &previousItemPair, TransactionItemBasePtr mTransItem);
+ };
+-- 
+2.45.2
+
--- a/libdnf.spec
+++ b/libdnf.spec
@ -63,6 +63,7 @@ URL:            https://github.com/rpm-software-management/libdnf
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
 Patch1:         0001-context-use-rpmtsAddReinstallElement-when-doing-a-re.patch
 Patch2:         0002-Since-we-use-rpmtsAddReinstallElement-rpm-also-unins.patch
+Patch3:         0003-MergedTransaction-Fix-invalid-memory-access-when-dro.patch

 BuildRequires:  cmake
 BuildRequires:  gcc
@ -309,6 +310,8 @@ popd
 * Tue Jun 11 2024 Petr Pisar <ppisar@redhat.com> - 0.73.1-2
 - Fix reinstalling packages which conflicts with themselves in
  dnf_transaction_commit() (RHEL-32919)
+- Fix an invalid memory access when dropping an item in MergedTransaction
+  class (RHEL-33541)

 * Thu Mar 28 2024 Evan Goode <egoode@redhat.com> - 0.73.1-1
 - Update to 0.73.1 (RHEL-38831)