Re: [exim-dev] [Bug 927] segfault around group_list

Top Page
Delete this message
Reply to this message
Author: Florian Weimer
Date:  
To: 927
CC: exim-dev
Old-Topics: [exim-dev] [Bug 927] segfault around group_list
Subject: Re: [exim-dev] [Bug 927] segfault around group_list
* Phil Pennock:

> It really is dead on the first line of main(), since the
> initialisations of the function automatic-scope variables in main()
> don't happen and they're random garbage. (Unless there's a reason
> for arg_smtp_receive_timeout to be set to 4812437 via the -os option
> to Exim).
>
> So the segfault is happening during library loading.


We've got plenty of such core files, too. This seems to be a kernel
bug. Apparently, address space randomization sometimes puts the stack
right into the middle of a DSO mapping (or vice versa).

"info target" over an example I just picked gives me (among other
things):

0x00007fff80a66970 - 0x00007fff80a70a6c is .eh_frame in /usr/lib/libgnutls.so.26
0x00007fff80c71000 - 0x00007fff80c71010 is .ctors in /usr/lib/libgnutls.so.26
0x00007fff80c71010 - 0x00007fff80c71020 is .dtors in /usr/lib/libgnutls.so.26
0x00007fff80c71010 - 0x00007fff80c71020 is .dtors in /usr/lib/libgnutls.so.26
0x00007fff80c71020 - 0x00007fff80c71028 is .jcr in /usr/lib/libgnutls.so.26
0x00007fff80c71040 - 0x00007fff80c79da8 is .data.rel.ro in /usr/lib/libgnutls.so.26
0x00007fff80c79da8 - 0x00007fff80c79fa8 is .dynamic in /usr/lib/libgnutls.so.26
0x00007fff80c79fa8 - 0x00007fff80c7a0b8 is .got in /usr/lib/libgnutls.so.26
0x00007fff80c7a0b8 - 0x00007fff80c7b6a8 is .got.plt in /usr/lib/libgnutls.so.26
0x00007fff80c7b6c0 - 0x00007fff80c7ba90 is .data in /usr/lib/libgnutls.so.26
0x00007fff80c7baa0 - 0x00007fff80c7bb60 is .bss in /usr/lib/libgnutls.so.26

"print $rsp" tells me that the crash happens when %rsp has the value
0x00007fff80c4f640. That's outside that range, but then 0x40408 has
already been substracted. This means that %rsp was initially around
0x00007fff80c8fa48. If you pipe this message through sort, you'll
see that %rsp has travelled from above the libgnutls.so.26 mappings
to an (unused) space in the middle of it. This is clearly broken.

(I looked at a second example in our zoo, and it looks pretty
similar.)

After a bit more looking around, I think this is very likely Debian
bug #559035. On the system I'm looking at, the crashes have ceased
after booting 2.6.26-22lenny1.

-- 
Florian Weimer                <fweimer@???>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99