Hello,
dovecot-lda crashes with a segfault, if I run it as a user who has no mailbox, and no permission to create one.
stat("/var/mail/mailboxes/users", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 getuid() = 21189 geteuid() = 21189 access("/var/mail/mailboxes/users", X_OK) = 0 getuid() = 21189 geteuid() = 21189 access("/var/mail/mailboxes/users", W_OK) = -1 EACCES (Permission denied) geteuid() = 21189 getegid() = 21189 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
dovecot --version 2.0.8 (f9d34d929c3f)
Micha Krause
On Tue, 2010-12-07 at 12:36 +0100, Micha Krause wrote:
dovecot-lda crashes with a segfault, if I run it as a user who has no mailbox, and no permission to create one.
Could you get gdb backtrace? Something like:
gdb --args dovecot-lda <parameters> run bt full
If that doesn't work, send your doveconf -n output and the command line you used for dovecot-lda. (I couldn't reproduce this with a quick test, so the crash could be pretty much anywhere.)
Hi,
On Tue, Dec 07, 2010 at 11:32:20PM +0000, Timo Sirainen wrote:
Could you get gdb backtrace? Something like:
I'm a colleague of Michael's and helped him debug this issue.
The interesting part of the backtrace is the following:
-- 8< -- #0 acl_object_deinit (_aclobj=0x30) at acl-api.c:23 aclobj = <value optimized out> #1 0x00007f4673f35e84 in acl_backend_deinit (_backend=<value optimized out>) at acl-backend.c:95 backend = (struct acl_backend *) 0x0 -- >8 --
For a reason I haven't investigated yet, "backend" is NULL in "acl_backend_deinit". This leads to a NULL-pointer dereference in "acl_object_deinit".
The attached patch protects from this dereference but I have this distinct feeling that I'm treating a symptom here.
Best regards, —octo
noris network AG - Deutschherrnstraße 15-19 - D-90429 Nürnberg - Tel +49-911-9352-0 - Fax +49-911-9352-100
http://www.noris.de - The IT-Outsourcing Company
Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Hansjochen Klenk - Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689
On 8.12.2010, at 11.23, Florian Forster wrote:
The interesting part of the backtrace is the following:
-- 8< -- #0 acl_object_deinit (_aclobj=0x30) at acl-api.c:23 aclobj = <value optimized out> #1 0x00007f4673f35e84 in acl_backend_deinit (_backend=<value optimized out>) at acl-backend.c:95 backend = (struct acl_backend *) 0x0 -- >8 --
For a reason I haven't investigated yet, "backend" is NULL in "acl_backend_deinit". This leads to a NULL-pointer dereference in "acl_object_deinit".
Thanks.
The attached patch protects from this dereference but I have this distinct feeling that I'm treating a symptom here.
Yes, the check should be a bit earlier: http://hg.dovecot.org/dovecot-2.0/rev/7353e3253840
participants (3)
-
Florian Forster
-
Micha Krause
-
Timo Sirainen