tldr: two of us can reproduce a segfault using 9.7.3.dfsg-1~squeeze3. nenadjebivi from #debian (CC'd) and I can both reproduce the segfault described here, using dnsutils 9.7.3.dfsg-1~squeeze3. We are on i686 (per `uname -m`). For me specifically, I'm running stable, up to date except for gnome/kde libraries, and `dpkg-architecture -qDEB_HOST_ARCH` is 'i386'. daemonkeeper on #debian cannot reproduce the segfault on sid/AMD64.
dbg packages: I have only libc6-dbg (2.11.2-10). nenadjebivi has libkrb5-dbg libc6-dbg libssl0.9.8-dbg zlib1g-dbg libxml2-dbg. This is the symptom: [[[ % /usr/bin/dig +nssearch openoffice.org. @148.87.1.23 || dmesg | tail -1 zsh: segmentation fault /usr/bin/dig +nssearch openoffice.org. @148.87.1.23 [2550475.577180] dig[6499]: segfault at 17 ip b7708cf3 sp b6ede2d0 error 6 in dig[b76f9000+1d000] ... % dig +nssearch @8.8.8.8 ch. zsh: segmentation fault dig +nssearch @8.8.8.8 ch. % dmesg | tail -1 [2552421.152782] dig[28333]: segfault at 17 ip b7836cf3 sp b700c2d0 error 6 in dig[b7827000+1d000] % dig +nssearch @8.8.8.8 ch; echo $? 0 ]]] The last command fails under GDB, while issueing a PIE/PIC warning. Working with daemonkeeper on #debian IRC, we rebuilt package from source, with the following changes: * disable hardening (commenting out line 5 of debian/rules) * enabling PIC (adding --with-pic to the configure invocation) for GDB-ability * export DEB_BUILD_OPTIONS='nostrip noopt debug' With the rebuilt package, the segfault still reproduces: [[[ % /tmp/bind9-9.7.3.dfsg/./debian//dnsutils/usr/bin/dig +nssearch openoffice.org. @148.87.1.23 zsh: segmentation fault /tmp/bind9-9.7.3.dfsg/./debian//dnsutils/usr/bin/dig +nssearch openoffice.org % dmesg | tail -1 [2550376.401443] dig[6477]: segfault at 17 ip 08055cb5 sp b707b2d0 error 6 in dig[8048000+1b000] ]]] I'm attaching a backtrace generated by nenadjebivi (which I can reproduce) and a backtrace generated by me. HTH. Let us know if we can provide any more information. Thanks, Daniel
by nenadjebivi before he installed libkrb5-dbg and zlib1g-dbg. # gdb --args dig +nssearch openoffice.org. @ns13.oracle.com. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/dig...done. (gdb) run Starting program: /usr/bin/dig +nssearch openoffice.org. @ns13.oracle.com. [Thread debugging using libthread_db enabled] [New Thread 0xb77b7b70 (LWP 8996)] [New Thread 0xb6fb6b70 (LWP 8997)] [New Thread 0xb67b5b70 (LWP 8998)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb77b7b70 (LWP 8996)] 0x0805786a in send_done (_task=0xb77bb078, event=0xb77cc3c8) at dighost.c:2311 2311 ISC_LIST_DEQUEUE(sevent->bufferlist, b, link); (gdb) backtrace #0 0x0805786a in send_done (_task=0xb77bb078, event=0xb77cc3c8) at dighost.c:2311 #1 0xb7c375c1 in dispatch (manager=0xb77bd008) at task.c:1013 #2 0xb7c37853 in run (uap=0xb77bd008) at task.c:1158 #3 0xb7bec955 in start_thread (arg=0xb77b7b70) at pthread_create.c:300 #4 0xb7a42e7e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 (gdb) print b $1 = (isc_buffer_t *) 0xb77c8310 (gdb) print link $2 = {<text variable, no debug info>} 0xb7a35350 <link> (gdb) print sevent $3 = (isc_socketevent_t *) 0xb77cc3c8 (gdb) dereference sevent->bufferlist Undefined command: "dereference". Try "help". (gdb) p *sevent->bufferlist Structure has no component named operator*. (gdb) print servent->bufferlist No symbol "servent" in current context. (gdb) print sevent->bufferlist $4 = {head = 0xb77c8310, tail = 0xb77c8310}
% valgrind ./debian//dnsutils/usr/bin/dig +nssearch openoffice.org. @148.87.1.23 ==27927== Memcheck, a memory error detector ==27927== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==27927== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==27927== Command: ./debian//dnsutils/usr/bin/dig +nssearch openoffice.org. @148.87.1.23 ==27927== ==27927== Thread 2: ==27927== Invalid write of size 4 ==27927== at 0x8055CB5: send_done (dighost.c:2311) ==27927== by 0x43B0EBA: ??? (in /usr/lib/libisc.so.62.1.1) ==27927== by 0x43DE954: start_thread (pthread_create.c:300) ==27927== by 0x45E7E7D: clone (clone.S:130) ==27927== Address 0x17 is not stack'd, malloc'd or (recently) free'd ==27927== ==27927== ==27927== Process terminating with default action of signal 11 (SIGSEGV) ==27927== Access not within mapped region at address 0x17 ==27927== at 0x8055CB5: send_done (dighost.c:2311) ==27927== by 0x43B0EBA: ??? (in /usr/lib/libisc.so.62.1.1) ==27927== by 0x43DE954: start_thread (pthread_create.c:300) ==27927== by 0x45E7E7D: clone (clone.S:130) ==27927== If you believe this happened as a result of a stack ==27927== overflow in your program's main thread (unlikely but ==27927== possible), you can try to increase the size of the ==27927== main thread stack using the --main-stacksize= flag. ==27927== The main thread stack size used in this run was 8388608. ==27927== ==27927== HEAP SUMMARY: ==27927== in use at exit: 678,001 bytes in 75 blocks ==27927== total heap usage: 642 allocs, 567 frees, 706,617 bytes allocated ==27927== ==27927== LEAK SUMMARY: ==27927== definitely lost: 0 bytes in 0 blocks ==27927== indirectly lost: 0 bytes in 0 blocks ==27927== possibly lost: 21,901 bytes in 49 blocks ==27927== still reachable: 656,100 bytes in 26 blocks ==27927== suppressed: 0 bytes in 0 blocks ==27927== Rerun with --leak-check=full to see details of leaked memory ==27927== ==27927== For counts of detected and suppressed errors, rerun with: -v ==27927== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 74 from 11) zsh: killed valgrind ./debian//dnsutils/usr/bin/dig +nssearch openoffice.org. @148.87.1.2
by nenadjebivi after he installed libkrb5-dbg and zlib1g-dbg. # gdb --args dig +nssearch openoffice.org. @ns13.oracle.com. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/dig...done. (gdb) run Starting program: /usr/bin/dig +nssearch openoffice.org. @ns13.oracle.com. [Thread debugging using libthread_db enabled] [New Thread 0xb77b7b70 (LWP 10430)] [New Thread 0xb6fb6b70 (LWP 10431)] [New Thread 0xb67b5b70 (LWP 10432)] SOA ns13.oracle.com. hostmaster.oracle.com. 2011080801 3600 3600 604800 900 from server ns13.oracle.com in 202 ms. SOA ns13.oracle.com. hostmaster.oracle.com. 2011080801 3600 3600 604800 900 from server ns14.oracle.com in 177 ms. Program received signal SIGTERM, Terminated. 0xb7fe2424 in __kernel_vsyscall () (gdb) backtrace #0 0xb7fe2424 in __kernel_vsyscall () #1 0xb79a1b5e in do_sigsuspend (set=0xbffff35c) at ../sysdeps/unix/sysv/linux/sigsuspend.c:63 #2 *__GI___sigsuspend (set=0xbffff35c) at ../sysdeps/unix/sysv/linux/sigsuspend.c:78 #3 0xb7c3b30f in isc__app_ctxrun (ctx0=0xb7c5bdc0) at app.c:680 #4 0xb7c3b38a in isc__app_run () at app.c:707 #5 0x08051bfc in main (argc=4, argv=0xbffff504) at dig.c:1802
