[Dovecot] dovecot-lda (2.1.12) segfaults

Joseph Tam jtam.home at gmail.com
Thu Dec 13 13:56:52 EET 2012 

We uograded our dovecot from version 2.1.10 -> 2.10.12, but within
the first hour of use, dovecot-lda would segfault during delivery.
This left a lock file lying around causing the user's mail readers to
hang; much hilarity ensues.  All further deliveries to the same user
will result in a crash.

The only thing that fixes this condition is to blow away the user's
INBOX cache index.  Reindexing with "doveadm index" does not fix
anything.

I've installed a test version with one user's problematic INBOX
cache indices and ran

 	gdb dovecot-lda
 	(gdb) run -t testuser </dev/null

and it crashes with the following backtrace

 	Program received signal SIGSEGV, Segmentation fault.
 	0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
 	323             if (field_hdr->size < sizeof(*field_hdr) +

 	(gdb) bt
 	#0  0xff2a0440 in mail_cache_header_fields_read (cache=0x5c120) at mail-cache-fields.c:323
 	#1  0xff29e8bc in mail_cache_compress_locked (cache=0x5c120, trans=0x63ce8, unlock=0xffbfeeef)
 	    at mail-cache-compress.c:361
 	#2  0xff29efd0 in mail_cache_compress (cache=0x5c120, trans=0x63ce8) at mail-cache-compress.c:489
 	#3  0xff2a3df4 in mail_cache_transaction_compress (ctx=0x5dac0) at mail-cache-transaction.c:180
 	#4  0xff2a4084 in mail_cache_transaction_open_if_needed (ctx=0x5dac0)
 	    at mail-cache-transaction.c:241
 	#5  0xff2a6e60 in mail_cache_field_want_add (ctx=0x5dac0, seq=1, field_idx=12)
 	    at mail-cache-transaction.c:1048
 	#6  0xff27e8e8 in index_mail_parse_header_register_all_wanted (mail=0x5e6b0)
 	    at index-mail-headers.c:175
 	#7  0xff27ec90 in index_mail_parse_header_init (mail=0x5e6b0, headers=0x0)
 	    at index-mail-headers.c:230
 	#8  0xff27f5c8 in index_mail_cache_parse_init (_mail=0x5e6b0, input=0x63760)
 	    at index-mail-headers.c:376
 	#9  0xff2299cc in mbox_save_get_input_stream (ctx=0x5dde8, input=0x62ed0) at mbox-save.c:411
 	#10 0xff22a084 in mbox_save_begin (_ctx=0x5dde8, input=0x62ed0) at mbox-save.c:520
 	#11 0xff24e9c0 in mailbox_save_begin (ctx=0xffbff514, input=0x62ed0) at mail-storage.c:1652
 	#12 0xff23f138 in mail_storage_try_copy (_ctx=0xffbff514, mail=0x54cd8) at mail-copy.c:68
 	#13 0xff23f23c in mail_storage_copy (ctx=0x5dde8, mail=0x54cd8) at mail-copy.c:93
 	#14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721
 	#15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730
 	#16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 "INBOX", flags=0,
 	    keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317
 	#17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403
 	#18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434

I dumped the value of field_hdr, and it has some bogus value

 	(gdb) p field_hdr
 	$1 = (const struct mail_cache_header_fields *) 0x20

Other observations

 	- blowing away the indices does not fix it permanantly.  The
 	the LDA will eventually start crashing again.

 	- the problematic indices do not cause problems with 2.1.10.
 	Reverting to 2.1.10 restores proper mail delivery.

Is this enough debug info to work your magic, Timo?  I can supply the cache data
if you neded it.  It's compiled on a Solaris10.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list