Bug#917319: libdovecot: Segfault -- service(dict) killed with signal 11
Control: tags -1 + upstream fixed-upstream Hi! On 03:40 Fri 04 Jan , Christian Schrötter wrote: > > Not tested yet, but it looks like the right commit... > > Tested and confirmed, it's the right bugfix! :-) > > @Maintainer: I think this will be included in Dovecot v2.3.5. I don't > know when the next release will be available, so maybe it's a good idea > to include the patch [1] in the next package update as temporary > solution for all affected users? > > Patched sources are available at [2]. Test build for amd64 is available > at [3]. This is only a small personal repository for private stuff. Thanks to both of you for the report and the triaging. If upstream does not release v2.3.5 soon, I'll go ahead and upload a patched 2.3.4. Regards, Apollon
Bug#917319: libdovecot: Segfault -- service(dict) killed with signal 11
> Not tested yet, but it looks like the right commit... Tested and confirmed, it's the right bugfix! :-) @Maintainer: I think this will be included in Dovecot v2.3.5. I don't know when the next release will be available, so maybe it's a good idea to include the patch [1] in the next package update as temporary solution for all affected users? Patched sources are available at [2]. Test build for amd64 is available at [3]. This is only a small personal repository for private stuff. -- With kind regards, Christian Schrötter [1]: https://github.com/dovecot/core/commit/aa5c05ebd5e2a2474514020d2114602bcb2f1157.patch [2]: https://debrep.froonix.org/debian/dists/buster/main/source/mail/ [3]: https://debrep.froonix.org/debian/dists/buster/main/binary-amd64/mail/
Bug#917319: libdovecot: Segfault -- service(dict) killed with signal 11
Patch possibly already available: https://github.com/dovecot/core/commit/aa5c05ebd5e2a2474514020d2114602bcb2f1157.patch Not tested yet, but it looks like the right commit...
Bug#917319: libdovecot: Segfault -- service(dict) killed with signal 11
Hello Christian Schrötter, not being involded in dovecot packaging I looked at this crash. That address in event_unref seems to point here: (gdb) disassemble /m event_unref,event_unref+370 Dump of assembler code from 0x77f33d70 to 0x77f33ee2: ... 210 211 void event_unref(struct event **_event) 212 { 213 struct event *event = *_event; 0x77f33d70 : push %rbp 0x77f33d71 : push %rbx 0x77f33d72 : sub$0x8,%rsp 0x77f33d76 : mov(%rdi),%rbx <<< $rbx loaded with what $rdi (_event?) points to. 214 215 if (event == NULL) 0x77f33d79 : test %rbx,%rbx 0x77f33d7c : je 0x77f33e60 216 return; 217 *_event = NULL; 0x77f33d82 : mov0x78(%rbx),%eax <<< this instruction seems to crash 0x77f33d85 : movq $0x0,(%rdi) 218 219 i_assert(event->refcount > 0); 0x77f33d8c : test %eax,%eax 0x77f33d8e : jle0x77e8c8ca 220 if (--event->refcount > 0) 0x77f33d94 : sub$0x1,%eax ... So we might assume $rbx contains here an invalid pointer. Some lines before, $rbx seems to be loaded with what _event points to. Unfortunately you removed all other frames from the backtrace, therefore it would need a maintainer to be able to reproduce the fault, to know from where event_unref got called. But I think it would be easier for them if you could provide all frames of the backtrace. Even better would be if dovecot-core-dbgsym from the debug symbol repository could be installed like described in [1], before analyzing the core file. Kind regards, Bernhard [1] https://wiki.debian.org/HowToGetABacktrace
Bug#917319: libdovecot: Segfault -- service(dict) killed with signal 11
Package: dovecot Version: 1:2.3.4-2 Severity: important Dear Maintainer, the latest updates of Dovecot or some shared libraries at my Debian Stretch system introduced a small bug. It's a nice new segfault... ;-) > dovecot: dict: Fatal: master: service(dict): > child 13578 killed with signal 11 (core dumped) > > dovecot: lda: Error: dict quota: Quota update failed: > write(/var/run/dovecot/dict) failed: Broken pipe > […] - Quota is now desynced Core dump: > Core was generated by `dovecot/dict'. > Program terminated with signal SIGSEGV, Segmentation fault. > > #0 0x7f8d5b5efd82 in event_unref () > from /usr/lib/dovecot/libdovecot.so.0 Do you need more details about my (Postfixadmin with Sqlite3) setup or is that enough information (for upstream) to fix this crash? # doveconf -n service/dict > service dict { > unix_listener dict { > group = vmailuser > mode = 0600 > user = vmailuser > } > } # doveconf -n dict > dict { > quota = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext > } # cat /etc/dovecot/dovecot-dict-sql.conf.ext > connect = /path/to/sqlite3.db > > map { > pattern = priv/quota/storage > table = quota2 > username_field = username > value_field = bytes > } > > map { > pattern = priv/quota/messages > table = quota2 > username_field = username > value_field = messages > } -- With kind regards, Christian Schrötter