core-dump in imap (Dovecot 2.2.19)

Peter Eriksson peter at ifm.liu.se
Wed Dec 9 08:55:00 UTC 2015 

Just found a coredump from the imap process for one of our users on 
dovecot 2.2.19 on a Solaris 10/x86 system:

> Dec  8 14:33:17 mail dovecot: [ID 583609 mail.crit] imap(leijo): Fatal: 
master: service(imap): child 14465 killed with signal 11 (core dumped)

Please find attached dovecot -n output and some gdb backtrace. It seems 
that cmd->client was NULL when dereferencing it at line 178 in 
imap-commands.c (in the function command_exec):

> 178           cmd->bytes_in += i_stream_get_absolute_offset(cmd->client->input) -
> 179                   cmd_start_bytes_in;

Please let me know if you need more information. I don't know what the 
users was doing at that specific time.

---
[Ll.U] Peter Eriksson KITVS-IFM & ITI-NET IT.LiU.SE +46-70 518 2786
-------------- next part --------------
# 2.2.19: /ifm/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.9 (357ac0a0e68b+)
# OS: SunOS 5.10 i86pc  
auth_debug = yes
auth_gssapi_hostname = mail.ifm.liu.se
auth_krb5_keytab = /ifm/etc/dovecot/krb5.keytab
auth_mechanisms = plain login gssapi gss-spnego
auth_verbose = yes
auth_worker_max_count = 100
base_dir = /var/run/dovecot/
default_process_limit = 2048
default_vsz_limit = 1 G
first_valid_uid = 100
login_greeting = Welcome to the IFM Dovecot Mail Server.
login_plaintext_networks = 130.236.160.0/20
mail_location = maildir:Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = mail/
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = Mail/
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = ~/mail/
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = ~/Mail/
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = ~%u/mail/
  separator = /
  type = private
}
namespace {
  hidden = yes
  list = no
  location = 
  prefix = ~%u/Mail/
  separator = /
  type = private
}
passdb {
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service anvil {
  client_limit = 8192
}
service auth {
  client_limit = 10240
}
service imap {
  process_limit = 2048
}
ssl_cert = </ifm/etc/certs/dovecot.cert.pem
ssl_key = </ifm/etc/certs/dovecot.key.pem
ssl_protocols = !SSLv2 !SSLv3
userdb {
  driver = passwd
}
protocol imap {
  mail_max_userip_connections = 64
}
-------------- next part --------------
program terminated by signal SEGV (no mapping at the fault address)
Current function is command_exec
  179                   cmd_start_bytes_in;
(dbx) where                                                                  
=>[1] command_exec(cmd = 0x4d1760), line 179 in "imap-commands.c"
  [2] client_output_cmd(cmd = 0x4d1760), line 1048 in "imap-client.c"
  [3] client_output_commands(client = 0x4d0f50), line 1079 in "imap-client.c"
  [4] client_output(client = 0x4d0f50), line 1107 in "imap-client.c"
  [5] stream_send_io(fstream = 0x4c8d60), line 482 in "ostream-file.c"
  [6] io_loop_call_io(io = 0x509790), line 559 in "ioloop.c"
  [7] io_loop_handler_run_internal(ioloop = 0x4b1e10), line 211 in "ioloop-poll.c"
  [8] io_loop_handler_run(ioloop = 0x4b1e10), line 607 in "ioloop.c"
  [9] io_loop_run(ioloop = 0x4b1e10), line 583 in "ioloop.c"
  [10] master_service_run(service = 0x4b1ce0, callback = 0x482040 = &`imap`main.c`client_connected(struct master_service_connection *conn)), line 640 in "master-service.c"
  [11] main(argc = 1, argv = 0xfffffd7fffdffcb8), line 442 in "main.c"


(dbx) list    
  171                   hook->post(cmd);
  172           if (cmd->state == CLIENT_COMMAND_STATE_DONE)
  173                   finished = TRUE;
  174   
  175           io_loop_time_refresh();
  176           cmd->running_usecs +=
  177                   timeval_diff_usecs(&ioloop_timeval, &cmd_start_timeval);
  178           cmd->bytes_in += i_stream_get_absolute_offset(cmd->client->input) -
  179                   cmd_start_bytes_in;

(dbx) print cmd
cmd = 0x4d1760
(dbx) print *cmd
*cmd = {
    prev                    = (nil)
    next                    = (nil)
    client                  = (nil)
    pool                    = (nil)
    tag                     = (nil)
    name                    = (nil)
    args                    = (nil)
    cmd_flags               = <unknown enum member 0>
    func                    = (nil)
    context                 = (nil)
    module_contexts         = {
        arr          = {
            buffer       = (nil)
            element_size = 0
        }
        v            = (nil)
        v_modifiable = (nil)
    }
    parser                  = (nil)
    state                   = CLIENT_COMMAND_STATE_WAIT_INPUT
    start_time              = {
        tv_sec  = 0
        tv_usec = 0
    }
    start_ioloop_wait_usecs = 0
    running_usecs           = 2823U
    bytes_in                = 0
    bytes_out               = 0
    sync                    = (nil)
    uid                     = 0
    cancel                  = 0
    param_error             = 0
    search_save_result      = 0
    search_save_result_used = 0
    temp_executed           = 0
    tagline_sent            = 0
}

More information about the dovecot mailing list