XPost: linux.debian.bugs.dist
From: noahm@debian.org

Package: dpkg
Version: 1.22.20
Severity: normal

This may be a usage error on my part, but it should probably not be
segfaulting either way. While investigating a possible solution to
#1108166, I encountered the following segfault in dpkg-trigger:

root@satest-trixie:~# dpkg-trigger --by-package=sa-compile --no-await --no-act sa-compile-upgrade
[ 721.686463] dpkg-trigger[5137]: segfault at c0 ip 00007f8b7d127d8a sp 00007fffe1a0dc90 error 4 in libc.so.6[64d8a,7f8b7d0e
b000+165000] likely on CPU 0 (core 0, socket 0)
[ 721.688762] Code: 00 e8 ea 3d 02 00 48 89 f9 e9 a5 fa ff ff 66 90 41 57 41 56 41 55 41 54 49 89 d4 55 48 89 f5 53 48 89 fb
48 81 ec f8 00 00 00 <8b> 87 c0 00 00 00 64 4c 8b 2c 25 28 00 00 00 4c 89 ac 24 e8 00 00
Segmentation fault



-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.32-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.8-6
ii libc6 2.41-8
ii liblzma5 5.8.1-1
ii libmd0 1.1.0-2+b1
ii libselinux1 3.8.1-1
ii libzstd1 1.5.7+dfsg-1
ii tar 1.35+dfsg-3.1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii apt 3.0.2
pn debsig-verify <none>

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

XPost: linux.debian.bugs.dist
From: guillem@debian.org

Control: tag -1 unreproducible moreinfo

Hi!

On Sun, 2025-06-22 at 14:38:40 -0400, Noah Meyerhans wrote:

Package: dpkg
Version: 1.22.20
Severity: normal

This may be a usage error on my part, but it should probably not be segfaulting either way. While investigating a possible solution to
#1108166, I encountered the following segfault in dpkg-trigger:

root@satest-trixie:~# dpkg-trigger --by-package=sa-compile --no-await --no-act sa-compile-upgrade
[ 721.686463] dpkg-trigger[5137]: segfault at c0 ip 00007f8b7d127d8a sp 00007fffe1a0dc90 error 4 in libc.so.6[64d8a,7f8b7d0e
b000+165000] likely on CPU 0 (core 0, socket 0)
[ 721.688762] Code: 00 e8 ea 3d 02 00 48 89 f9 e9 a5 fa ff ff 66 90 41 57 41 56 41 55 41 54 49 89 d4 55 48 89 f5 53 48 89 fb
48 81 ec f8 00 00 00 <8b> 87 c0 00 00 00 64 4c 8b 2c 25 28 00 00 00 4c 89 ac 24 e8 00 00
Segmentation fault

I tried that invocation on a minimal sid chroot, with the sa-compile
package installed, and I could not reproduce the segfault. If you can
still reproduce that, could you send at least the dpkg status file and
the /var/lib/dpkg/triggers/ directory? If that contains sensitive data,
feel free to send it privately to me.

Also if you could also send a backtrace that would be great.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

XPost: linux.debian.bugs.dist
From: noahm@debian.org

On Sun, Jun 22, 2025 at 11:39:41PM +0200, Guillem Jover wrote:

This may be a usage error on my part, but it should probably not be segfaulting either way. While investigating a possible solution to #1108166, I encountered the following segfault in dpkg-trigger:

root@satest-trixie:~# dpkg-trigger --by-package=sa-compile --no-await --no-act sa-compile-upgrade
[ 721.686463] dpkg-trigger[5137]: segfault at c0 ip 00007f8b7d127d8a sp 00007fffe1a0dc90 error 4 in libc.so.6[64d8a,7f8b7d0e
b000+165000] likely on CPU 0 (core 0, socket 0)
[ 721.688762] Code: 00 e8 ea 3d 02 00 48 89 f9 e9 a5 fa ff ff 66 90 41 57 41 56 41 55 41 54 49 89 d4 55 48 89 f5 53 48 89 fb
48 81 ec f8 00 00 00 <8b> 87 c0 00 00 00 64 4c 8b 2c 25 28 00 00 00 4c 89 ac 24 e8 00 00
Segmentation fault

I tried that invocation on a minimal sid chroot, with the sa-compile
package installed, and I could not reproduce the segfault. If you can
still reproduce that, could you send at least the dpkg status file and
the /var/lib/dpkg/triggers/ directory? If that contains sensitive data,
feel free to send it privately to me.

Also if you could also send a backtrace that would be great.

It seems that the problem is only triggered if dpkg-trigger is run
*without* --no-act first. Then a subsequent invocation *with* --no-act
triggers the ѕegfault.

It does not seem specific to any of the packages or triggers that I was
working on, and can be reproduced with an arbitrary trigger.

See the attached script for a simple repro using docker containers. Let
me know if you still have trouble reproducing it and I can get you a
core file.

Stack trace looks like:
(gdb) bt
#0 0x00007fbca6df0d8a in __vfprintf_internal (s=0x0, format=format@entry=0x55d0872763ac "%s", ap=ap@entry=0x7fff25f83660,
mode_flags=mode_flags@entry=2) at ./stdio-common/vfprintf-internal.c:1525 #1 0x00007fbca6ea8fb6 in ___vfprintf_chk (fp=<optimized out>, flag=flag@entry=1, format=format@entry=0x55d0872763ac "%s",
ap=ap@entry=0x7fff25f83660) at ./debug/vfprintf_chk.c:29
#2 0x000055d087270abc in vfprintf (__stream=<optimized out>, __fmt=<optimized out>, __ap=0x7fff25f83660)
at /usr/include/x86_64-linux-gnu/bits/stdio2.h:166
#3 trigdef_update_printf (format=format@entry=0x55d0872763ac "%s") at ../../../lib/dpkg/trigdeferred.c:157
#4 0x000055d08726acfe in tdm_add_trig_begin (trig=0x7fff25f83750 "sa-compile-upgrade") at ../../src/trigger/main.c:146
#5 0x000055d087270bb5 in trigdef_parse () at ../../../lib/dpkg/trigdeferred.c:211
#6 0x000055d08726a995 in do_trigger (argv=<optimized out>) at ../../src/trigger/main.c:201
#7 0x000055d08726a6c8 in main (argc=<optimized out>, argv=<optimized out>) at ../../src/trigger/main.c:265



#!/usr/bin/bashimage=debian:trixie# The trigger name does not matter; it can be a real trigger that# exists, e.g. perl-major-upgrade, or an arbitrarily made up nametrigger_name=foo# This does not trigger a crash. Note that there's only a single
invocation of dpkg-trigger# docker run -it "$image" bash -c "apt-get update && \# dpkg-trigger --by-package=sa-compile --no-await --no-act $trigger_name ; \# echo trigger exited status \$?"docker run -it "$image" bash -c "apt-get update && \
dpkg-trigger --by-package=sa-compile --no-await $trigger_name ; \ echo trigger exited status \$? ; \ dpkg-trigger --by-package=sa-compile --no-await --no-act $trigger_name ; \ echo trigger exited status \$?"

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

XPost: linux.debian.bugs.dist
From: guillem@debian.org

Control: tags -1 - unreproducible moreinfo + confirmed

Hi!

On Mon, 2025-06-23 at 10:35:46 -0400, Noah Meyerhans wrote:

It seems that the problem is only triggered if dpkg-trigger is run
*without* --no-act first. Then a subsequent invocation *with* --no-act triggers the ѕegfault.

It does not seem specific to any of the packages or triggers that I was working on, and can be reproduced with an arbitrary trigger.

See the attached script for a simple repro using docker containers. Let
me know if you still have trouble reproducing it and I can get you a
core file.

Stack trace looks like:
(gdb) bt
#0 0x00007fbca6df0d8a in __vfprintf_internal (s=0x0, format=format@entry=0x55d0872763ac "%s", ap=ap@entry=0x7fff25f83660,
mode_flags=mode_flags@entry=2) at ./stdio-common/vfprintf-internal.c:1525 #1 0x00007fbca6ea8fb6 in ___vfprintf_chk (fp=<optimized out>, flag=flag@entry=1, format=format@entry=0x55d0872763ac "%s",
ap=ap@entry=0x7fff25f83660) at ./debug/vfprintf_chk.c:29
#2 0x000055d087270abc in vfprintf (__stream=<optimized out>, __fmt=<optimized out>, __ap=0x7fff25f83660)
at /usr/include/x86_64-linux-gnu/bits/stdio2.h:166
#3 trigdef_update_printf (format=format@entry=0x55d0872763ac "%s") at ../../../lib/dpkg/trigdeferred.c:157
#4 0x000055d08726acfe in tdm_add_trig_begin (trig=0x7fff25f83750 "sa-compile-upgrade") at ../../src/trigger/main.c:146
#5 0x000055d087270bb5 in trigdef_parse () at ../../../lib/dpkg/trigdeferred.c:211
#6 0x000055d08726a995 in do_trigger (argv=<optimized out>) at ../../src/trigger/main.c:201
#7 0x000055d08726a6c8 in main (argc=<optimized out>, argv=<optimized out>) at ../../src/trigger/main.c:265

Thanks! This was very helpful. I've been able to reproduce this now,
and I've very quickly prepared a tentative patch, which I've not yet
tested, and not analyzed whether there might be a better fix or some
other lingering issues (will do that later today).

The problem is that when we are passing --no-act then the file
descriptor for the triggers file is NULL, so the print segfaults,
which we should not even be attempting to do in the first place.

Thanks,
Guillem

diff --git i/lib/dpkg/trigdeferred.c w/lib/dpkg/trigdeferred.c
index ae31d6285..e04c673d4 100644
--- i/lib/dpkg/trigdeferred.c
+++ w/lib/dpkg/trigdeferred.c
@@ -153,6 +153,9 @@ trigdef_update_printf(const char *format, ...)
{
va_list ap;

+ if (trig_new_deferred == NULL)
+ return;
+
va_start(ap, format);
vfprintf(trig_new_deferred, format, ap);
va_end(ap);

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)