[Dovecot] dovecot-lda (2.1.12) segfaults
Joseph Tam
jtam.home at gmail.com
Wed Dec 19 12:47:09 EET 2012
Timo Sirainen writes:
> Can you still reproduce this in any way?
Yes, I have 6 sets of user INBOX index caches that will crash dovecot-lda.
The actual content of the INBOX is irrelevant (crash probably happens
before INBOX is opened).
> I found two bugs, would be nice to know if they solve it:
>
> http://hg.dovecot.org/dovecot-2.1/rev/2f848393f78e
> http://hg.dovecot.org/dovecot-2.1/rev/bded819417d9
No, these patch don't help. It crashes in the same place with the
same value of field_hdr. Here's the full backtrace:
#0 0xff2a0474 in mail_cache_header_fields_read (cache=0x5c250) at mail-cache-fields.c:325
field_hdr = (const struct mail_cache_header_fields *) 0x20
field = {name = 0x402 <Address 0x402 out of bounds>, idx = 4282351288,
type = MAIL_CACHE_FIELD_VARIABLE_SIZE, field_size = 4282335628,
decision = MAIL_CACHE_DECISION_TEMP, last_used = -14558816}
last_used = (const uint32_t *) 0x64584
sizes = (const uint32_t *) 0xc
types = (const uint8_t *) 0x64888 ""
decisions = (const uint8_t *) 0x64900 ""
p = 0x24a38 "ÿ\035\212@ÿ¿úÐ"
names = 0x0
end = 0x64a50 ""
orig_key = (void *) 0xffbfee38
orig_value = (void *) 0x64550
fidx = 411784
new_fields_count = 4280126016
dec = MAIL_CACHE_DECISION_NO
max_drop_time = 376804
offset = 32
i = 4282348464
#1 0xff29e8cc in mail_cache_compress_locked (cache=0x5c250, trans=0x645e0, unlock=0xffbfeeef)
at mail-cache-compress.c:361
dotlock = (struct dotlock *) 0x2ea00
st = {st_dev = 235718347, st_pad1 = {874, 0, 0}, st_ino = 0, st_mode = 0, st_nlink = 0,
st_uid = 0, st_gid = 0, st_rdev = 3720, st_pad2 = {0, 0}, st_size = 3720, st_atim = {
tv_sec = 410816, tv_nsec = -12631336}, st_mtim = {tv_sec = 514, tv_nsec = -12631336},
st_ctim = {tv_sec = 65536, tv_nsec = 0}, st_blksize = 0, st_blocks = 1621028016851520,
st_fstype = "\000\000\000\004\000\000\000\003\212\000\000\000\000\005ÂP", st_pad4 = {-4198784,
-14028952, 39394339, 377424, 0, 16777216, 3, 4}}
old_mask = 4282348464
file_seq = 4
old_offset = 4290768372
ext_offsets = {arr = {buffer = 0xffbfee10, element_size = 4280930288}, v = 0xffbfee10,
v_modifiable = 0xffbfee10}
offsets = (const uint32_t *) 0x0
data = (const void *) 0xff3f4380
i = 0
count = 1
fd = 0
ret = 377424
#2 0xff29efe0 in mail_cache_compress (cache=0x5c250, trans=0x645e0) at mail-cache-compress.c:489
unlock = false
ret = 411764
__FUNCTION__ = "mail_cache_compress"
#3 0xff2a3e28 in mail_cache_transaction_compress (ctx=0x5e3b8) at mail-cache-transaction.c:180
cache = (struct mail_cache *) 0x5c250
view = (struct mail_index_view *) 0x644c0
trans = (struct mail_index_transaction *) 0x645e0
ret = 2424
#4 0xff2a40b8 in mail_cache_transaction_open_if_needed (ctx=0x5e3b8)
at mail-cache-transaction.c:241
cache = (struct mail_cache *) 0x5c250
ext = (const struct mail_index_ext *) 0x1e
idx = 154968
i = 1
__FUNCTION__ = "mail_cache_transaction_open_if_needed"
#5 0xff2a6e94 in mail_cache_field_want_add (ctx=0x5e3b8, seq=1, field_idx=12)
at mail-cache-transaction.c:1048
decision = 153968
#6 0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5efa8)
at index-mail-headers.c:175
_mail = (struct mail *) 0x5efa8
all_cache_fields = (const struct mail_cache_field *) 0x25970
i = 12
count = 26
#7 0xff27ec90 in index_mail_parse_header_init (mail=0x5efa8, headers=0x0)
at index-mail-headers.c:230
_data_stack_cur_id = 2
data = (struct index_mail_data *) 0x5f058
match = (const uint8_t *) 0x641a0 ""
i = 0
field_idx = 4290769328
match_count = 2155905152
__FUNCTION__ = "index_mail_parse_header_init"
#8 0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5efa8, input=0x64058)
at index-mail-headers.c:376
mail = (struct index_mail *) 0x5efa8
input2 = (struct istream *) 0x641a0
__FUNCTION__ = "index_mail_cache_parse_init"
#9 0xff2299cc in mbox_save_get_input_stream (ctx=0x5e6e0, input=0x637c8) at mbox-save.c:411
filter = (struct istream *) 0x0
ret = (struct istream *) 0x5edd0
cache_input = (struct istream *) 0x25990
streams = {0x20202020, 0x2e938, 0xa202020}
#10 0xff22a084 in mbox_save_begin (_ctx=0x5e6e0, input=0x637c8) at mbox-save.c:520
ctx = (struct mbox_save_context *) 0x5e6e0
t = (struct mbox_transaction_context *) 0x5de88
save_flags = MAIL_RECENT
offset = 0
__FUNCTION__ = "mbox_save_begin"
#11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x637c8) at mail-storage.c:1652
box = (struct mailbox *) 0x594e8
ret = 0
#12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68
ctx = (struct mail_save_context *) 0x5e6e0
pmail = (struct mail_private *) 0x54cd8
input = (struct istream *) 0x637c8
from_envelope = 0x13d90 "MAILER-DAEMON"
guid = 0xff2f0ec0 ""
received_date = -1
#13 0xff23f23c in mail_storage_copy (ctx=0x5e6e0, mail=0x54cd8) at mail-copy.c:93
No locals.
#14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721
ctx = (struct mail_save_context *) 0x5e6e0
box = (struct mailbox *) 0x594e8
keywords = (struct mail_keywords *) 0x0
ret = 389032
#15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730
No locals.
#16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0,
keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317
open_ctx = {user = 0x3d3a8, lda_mailbox_autocreate = true,
lda_mailbox_autosubscribe = false}
box = (struct mailbox *) 0x594e8
trans_flags = MAILBOX_TRANSACTION_FLAG_EXTERNAL
t = (struct mailbox_transaction_context *) 0x5de88
save_ctx = (struct mail_save_context *) 0x0
headers_ctx = (struct mailbox_header_lookup_ctx *) 0x0
kw = (struct mail_keywords *) 0x0
error = MAIL_ERROR_NONE
mailbox_name = 0x13fe8 "INBOX"
errstr = 0x0
guid = 0xff3f73b0 ""
changes = {pool = 0x13e38, uid_validity = 0, saved_uids = {arr = {buffer = 0x13e28,
element_size = 1}, v = 0x13e28, v_modifiable = 0x13e28},
ignored_modseq_changes = 4282350008, changed = false}
range = (const struct seq_range *) 0xff1d3580
default_save = true
ret = 0
__FUNCTION__ = "mail_deliver_save"
#17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403
ret = -1
#18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434
set_roots = {0x24b48, 0x0}
ctx = {pool = 0x2eaf0, set = 0x30440, session = 0x2eb00, dup_ctx = 0x0, session_id = 0x0,
src_mail = 0x54cd8, src_envelope_sender = 0x0, dest_user = 0x3d3a8,
dest_addr = 0x25828 "testuser at domain", final_dest_addr = 0x25828 "testuser at domain",
dest_mailbox_name = 0x13fe8 "INBOX", dest_mail = 0x5efa8, var_expand_table = 0x0,
tried_default_save = true, saved_mail = false, save_dest_mail = false, mailbox_full = false,
dsn = false}
service_flags = 1027
user = 0xffbffad0 "testuser"
errstr = 0xff3f48e8 ""
path = 0x0
storage_service = (struct mail_storage_service_ctx *) 0x2f650
service_user = (struct mail_storage_service_user *) 0x2fe88
service_input = {module = 0x13fd0 "lda", service = 0x13fd0 "lda",
username = 0xffbffad0 "testuser", session_id = 0x0, local_ip = {family = 0, u = {ip6 = {
_S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}},
ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'},
S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, remote_ip = {family = 0, u = {ip6 = {
_S6_un = {_S6_u8 = '\0' <repeats 15 times>, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}},
ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'},
S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0}}}}, local_port = 0, remote_port = 0,
userdb_fields = 0x0, flags_override_add = 0, flags_override_remove = 0, no_userdb_lookup = 0}
storage = (struct mail_storage *) 0x39330
user_source = 0x13f30 ""
destaddr_source = 0x13f30 ""
process_euid = 0
stderr_rejection = false
ret = 1
c = -1
error = MAIL_ERROR_NONE
Joseph Tam <tam at math.ubc.ca>
More information about the dovecot
mailing list