Am 2014-01-28 15:31, schrieb Patrick Laimbock:
> On 28-01-14 13:40, Stevan Bajić wrote:
>> Am 2014-01-28 12:41, schrieb Patrick Laimbock:
>>> On 28-01-14 12:23, Stevan Bajić wrote:
>>>> Hello Patrick,
>>>>
>>>> okay. So it segfaults right after it closes the log:
>>>>
>>>> 6403 gettimeofday({1390857119, 469600}, NULL) = 0
>>>> 6403 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 25
>>>> 6403 connect(25, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
>>>> 6403 sendto(25, "<20>Jan 27 22:11:59 dspam[6372]:"..., 119,
>>>> MSG_NOSIGNAL, NULL, 0) = 119
>>>> 6403 close(25) = 0
>>>> 6403 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>>> 6372 +++ killed by SIGSEGV +++
>>>>
>>>>
>>>> What actions have you don't to trigger that segfault?
>>>
>>> Just send an email which is received by postfix which sends it to
>>> DSPAM.
>>>
>> Daemon mode or did you call the dspam binary directly?
>
> Daemon mode.
>
>>>> Could you compile DSPAM with debug symbols and try the action again
>>>> and
>>>> post the backtrace here?
>>>
>>> The info above was from DSPAM built with -g and with the DSPAM-debug
>>> package installed.
>>>
>> This is not enough. You should at least enable the following switches
>> as
>> well:
>> --enable-debug
>> --enable-verbose-debug
>
> Sorry if that wasn't clear. Those switches were enabled during the
> build. And the strace info above was taken DSPAM configure with those
> switches enabled.
>
>> If you like then you can add --enable-bnr-debug as well but I think
>> for
>> your problem it is not needed.
>
> This switch was not enabled.
>
>>> In the Zimbra build scripts for DSPAM I noticed that it specifically
>>> uses CFLAGS="-g -O2" so I rebuild the RPM with those flags instead of
>>> the RPM optflags macro [0] and with debug enabled. This has been
>>> running
>>> fine for a few hours now. No segfaults. Maybe those optflags are
>>> wreaking havoc.
>>>
>> My current flags on the filter system are:
>> nyx ~ # dspam --version
>>
>> DSPAM Anti-Spam Suite GIT (agent/library)
>>
>> Copyright (C) 2002-2012 DSPAM Project
>> http://dspam.sourceforge.net.
>>
>> DSPAM may be copied only under the terms of the GNU Affero General
>> Public
>> License, a copy of which can be found with the DSPAM distribution kit.
>>
>> Configuration parameters: '--prefix=/usr' '--build=i686-pc-linux-gnu'
>> '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc'
>> '--localstatedir=/var/lib' '--with-storage-driver=hash_drv,mysql_drv'
>> '--with-dspam-home=/var/spool/dspam' '--sysconfdir=/etc/mail/dspam'
>> '--enable-daemon' '--disable-external-lookup' '--enable-clamav'
>> '--enable-large-scale' '--disable-domain-scale' '--enable-syslog'
>> '--disable-debug' '--disable-bnr-debug' '--disable-verbose-debug'
>> '--enable-split-configuration' '--enable-long-usernames'
>> '--with-dspam-group=dspam' '--with-dspam-home-group=dspam'
>> '--with-dspam-mode=2511' '--with-logdir=/var/log/dspam'
>> '--with-mysql-includes=/usr/include/mysql'
>> '--with-mysql-libraries=/usr/lib/mysql' '--enable-virtual-users'
>> '--enable-preferences-extension' '--disable-homedir'
>> 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu'
>> 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-march=native -O2 -pipe -fweb
>> -frename-registers -ftree-loop-optimize -ftree-vectorize
>> -ftree-vectorizer-verbose=1 -floop-interchange -floop-strip-mine
>> -floop-block -freorder-blocks-and-partition -fgcse-sm -fgcse-las
>> -maccumulate-outgoing-args -funswitch-loops -ftracer
>> -fprefetch-loop-arrays -fno-ident -fno-strict-overflow -mfpmath=sse
>> -mmmx -msse -msse2' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,-O1
>> -Wl,--add-needed -Wl,--as-needed -Wl,--hash-style=both
>> -Wl,--sort-common'
>
> Those are certainly quite different from the ones I used (optflags and
> just -g -O2).
>
>>> [0] optflags: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
>
>> Hmm.... I am not the super dupper GCC specialist but fexceptions are
>> not
>> really needed in the case of DSPAM since it is mostly written in C and
>> not in C++ ->
>> http://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions-2562
>
> Neither am I. Those flags are what Red Hat/CentOS use by default to
> build packages. With their brainpower I would guess that they gave them
> some thought and figured out those flags were the right ones to use :)
>
>> If memory serves me right then fstack-protector, ssp-buffer-size and
>> -D_FORTIFY_SOURCE are GCC hardened options. Right? If you need them
>> then
>> try using -D_FORTIFY_SOURCE with 1 instead of 2.
>>
>> What GCC version are you using?
>
> gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
> It's the one that ships with CentOS 6.5.
>
> FWIW DSPAM has not crashed and is still humming along fine processing a
> few hundred emails since I used the -g -O2 flags.
>
So you basically removed:
-pipe
-Wall
-Wp,-D_FORTIFY_SOURCE=2
-fexceptions
-fstack-protector
--param=ssp-buffer-size=4
-m64
-mtune=generic
I think you can easily add those switches back since they are rather
safe to use:
-pipe
-Wall
-mtune=generic
I don't know why would would need to add -m64? Usually you add that if
you have a 32bit system and you want to produce 64bit code. The other
switches are for hardened GCC and I don't see you using it.
> Regards,
> Patrick
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends. Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> Dspam-user mailing list
> Dspam-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspam-user
--
Kind Regards from Switzerland,
Stevan Bajić
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Dspam-user mailing list
Dspam-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-user
