[Dovecot] dovecot-lda (2.1.12) segfaults

13 Dec 2012


      We uograded our dovecot from version 2.1.10 -> 2.10.12, but within
the first hour of use, dovecot-lda would segfault during delivery.
This left a lock file lying around causing the user's mail readers to
hang; much hilarity ensues.  All further deliveries to the same user
will result in a crash.
The only thing that fixes this condition is to blow away the user's
INBOX cache index.  Reindexing with "doveadm index" does not fix
anything.
I've installed a test version with one user's problematic INBOX
cache indices and ran
gdb dovecot-lda
(gdb) run -t testuser </dev/null
and it crashes with the following backtrace
Program received signal SIGSEGV, Segmentation fault.
0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
323             if (field_hdr->size < sizeof(*field_hdr) +

(gdb) bt
#0  0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
#1  0xff29e8bc in mail_cache_compress_locked (cache=0x5c120, trans=0x63ce8, unlock=0xffbfeeef)
    at mail-cache-compress.c:361
#2  0xff29efd0 in mail_cache_compress (cache=0x5c120, trans=0x63ce8) at mail-cache-compress.c:489
#3  0xff2a3df4 in mail_cache_transaction_compress (ctx=0x5dac0) at mail-cache-transaction.c:180
#4  0xff2a4084 in mail_cache_transaction_open_if_needed (ctx=0x5dac0)
    at mail-cache-transaction.c:241
#5  0xff2a6e60 in mail_cache_field_want_add (ctx=0x5dac0, seq=1, field_idx=12)
    at mail-cache-transaction.c:1048
#6  0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5e6b0)
    at index-mail-headers.c:175
#7  0xff27ec90 in index_mail_parse_header_init (mail=0x5e6b0, headers=0x0)
    at index-mail-headers.c:230
#8  0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5e6b0, input=0x63760)
    at index-mail-headers.c:376
#9  0xff2299cc in mbox_save_get_input_stream (ctx=0x5dde8, input=0x62ed0) at mbox-save.c:411
#10 0xff22a084 in mbox_save_begin (_ctx=0x5dde8, input=0x62ed0) at mbox-save.c:520
#11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x62ed0) at mail-storage.c:1652
#12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68
#13 0xff23f23c in mail_storage_copy (ctx=0x5dde8, mail=0x54cd8) at mail-copy.c:93
#14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721
#15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730
#16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0,
    keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317
#17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403
#18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434
I dumped the value of field_hdr, and it has some bogus value
(gdb) p field_hdr
$1 = (const struct mail_cache_header_fields *) 0x20
Other observations
- blowing away the indices does not fix it permanantly.  The
the LDA will eventually start crashing again.

- the problematic indices do not cause problems with 2.1.10.
Reverting to 2.1.10 restores proper mail delivery.
Is this enough debug info to work your magic, Timo?  I can supply the cache data
if you neded it.  It's compiled on a Solaris10.
Joseph Tam jtam.home@gmail.com

Joseph Tam

Timo Sirainen

tags

participants (2)