Bug#722484: Info received (libdspam7-drv-hash segfaults since 3.10.2+dfsg-10)
Control: reopen 722484 m...@blackshift.org Le lundi 7 octobre 2013 23:01:47, vous avez écrit : Hello I've deleted /var/spool/dspam/data and let dspam deliver a mail, that produces this backtrace: #0 0xb6f118ec in raise () from /lib/arm-linux-gnueabi/libpthread.so.0 No symbol table info available. #1 0xb6a5acf4 in __aeabi_ldiv0 () from /usr/lib/arm-linux-gnueabi/dspam/libhash_drv.so No symbol table info available. #2 0xb6a59b9c in _hash_drv_seek (map=map@entry=0xb57073d8, offset=offset@entry=16147856, hashcode=optimized out, flags=flags@entry=1) at hash_drv.c:1194 header = optimized out rec = optimized out fpos = optimized out iterations = 0 Ok, this bug was very likely introduced with the patch I made to handle corrupted css file. Unfortunetely I don't have the time to fix the patch now. I'm very busy for a few weeks but I'll try to take a look at it as soon as possible. Best regards. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#722484: Info received (libdspam7-drv-hash segfaults since 3.10.2+dfsg-10)
On 10/09/2013 02:45 PM, Thomas Preud'homme wrote: I've deleted /var/spool/dspam/data and let dspam deliver a mail, that produces this backtrace: #0 0xb6f118ec in raise () from /lib/arm-linux-gnueabi/libpthread.so.0 No symbol table info available. #1 0xb6a5acf4 in __aeabi_ldiv0 () from /usr/lib/arm-linux-gnueabi/dspam/libhash_drv.so No symbol table info available. #2 0xb6a59b9c in _hash_drv_seek (map=map@entry=0xb57073d8, offset=offset@entry=16147856, hashcode=optimized out, flags=flags@entry=1) at hash_drv.c:1194 header = optimized out rec = optimized out fpos = optimized out iterations = 0 Ok, this bug was very likely introduced with the patch I made to handle corrupted css file. Unfortunetely I don't have the time to fix the patch now. Yes the bug was introduced between 3.10.2+dfsg-9 and 3.10.2+dfsg-10. As I'm running -9 without problems. Although the incremental diff from -9 to -10 doesn't look suspicious at the first glance: diff --git a/src/hash_drv.c b/src/hash_drv.c index 349b491..daae2e7 100644 --- a/src/hash_drv.c +++ b/src/hash_drv.c @@ -1187,32 +1187,36 @@ unsigned long _hash_drv_seek( unsigned long fpos; unsigned long iterations = 0; if (offset = map-file_len) return 0; fpos = sizeof(struct _hash_drv_header) + ((hashcode % header-hash_rec_max) * sizeof(struct _hash_drv_spam_record)); According to the backtrace's line number the diff-by-zero should happen here. But the modulo, which is IIRC implemented on ARM as divide/multiply/difference, was here all the time. Was there a compiler change? Maybe some new optimisations brakes the code. rec = (void *)((unsigned long) map-addr + offset + fpos); - while(rec-hashcode != hashcode /* Match token */ -rec-hashcode != 0/* Insert on empty */ -iterations map-max_seek) /* Max Iterations */ + while(rec + sizeof(*rec) = map-file_len /* not end of file */ +rec-hashcode != hashcode /* Match token */ +rec-hashcode != 0/* Insert on empty */ +iterations map-max_seek) /* Max Iterations */ { iterations++; fpos += sizeof(struct _hash_drv_spam_record); if (fpos = (header-hash_rec_max * sizeof(struct _hash_drv_spam_record))) fpos = sizeof(struct _hash_drv_header); rec = (void *)((unsigned long) map-addr + offset + fpos); } + if (rec + sizeof(*rec) map-file_len) +return 0; + if (rec-hashcode == hashcode) return fpos; if (rec-hashcode == 0 (flags HSEEK_INSERT)) return fpos; return 0; } I'm very busy for a few weeks but I'll try to take a look at it as soon as possible. Thanks, Marc signature.asc Description: OpenPGP digital signature
Bug#722484: Info received (libdspam7-drv-hash segfaults since 3.10.2+dfsg-10)
Le mercredi 9 octobre 2013 14:56:23, vous avez écrit : Yes the bug was introduced between 3.10.2+dfsg-9 and 3.10.2+dfsg-10. As I'm running -9 without problems. Although the incremental diff from -9 to -10 doesn't look suspicious at the first glance: diff --git a/src/hash_drv.c b/src/hash_drv.c index 349b491..daae2e7 100644 --- a/src/hash_drv.c +++ b/src/hash_drv.c @@ -1187,32 +1187,36 @@ unsigned long _hash_drv_seek( unsigned long fpos; unsigned long iterations = 0; if (offset = map-file_len) return 0; fpos = sizeof(struct _hash_drv_header) + ((hashcode % header-hash_rec_max) * sizeof(struct _hash_drv_spam_record)); According to the backtrace's line number the diff-by-zero should happen here. But the modulo, which is IIRC implemented on ARM as divide/multiply/difference, was here all the time. Was there a compiler change? Maybe some new optimisations brakes the code. Without having looked at the code, I suspect that hash_rec_max is updated from _hash_drv_seek's return value. Since I added a check to detect when the end of file is going to be reached, the function returns 0 in case where it was not the case before. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#722484: Info received (libdspam7-drv-hash segfaults since 3.10.2+dfsg-10)
Hello I've deleted /var/spool/dspam/data and let dspam deliver a mail, that produces this backtrace: #0 0xb6f118ec in raise () from /lib/arm-linux-gnueabi/libpthread.so.0 No symbol table info available. #1 0xb6a5acf4 in __aeabi_ldiv0 () from /usr/lib/arm-linux-gnueabi/dspam/libhash_drv.so No symbol table info available. #2 0xb6a59b9c in _hash_drv_seek (map=map@entry=0xb57073d8, offset=offset@entry=16147856, hashcode=optimized out, flags=flags@entry=1) at hash_drv.c:1194 header = optimized out rec = optimized out fpos = optimized out iterations = 0 #3 0xb6a59cc8 in _hash_drv_set_spamrecord (map=0xb57073d8, wrec=wrec@entry=0xb60fa1a8, map_offset=0) at hash_drv.c:1239 rec = optimized out offset = 16147856 extents = optimized out last_extent_size = optimized out rec_offset = 0 #4 0xb6a59df4 in _ds_set_spamrecord (CTX=optimized out, token=optimized out, stat=0xb5733f08) at hash_drv.c:785 rec = {hashcode = 6670524186553311232, nonspam = 1, spam = 0} s = optimized out #5 0xb6f336cc in _ds_set_spamrecord (CTX=0xb57007a8, token=optimized out, stat=0xb5733f08) at storage_driver.c:133 ptr = optimized out #6 0xb6a59ea4 in _ds_setall_spamrecords (CTX=0xb57007a8, diction=0xb570d4d0) at hash_drv.c:736 ds_term = 0xb5733ef8 ds_c = 0xb573d9e8 ret = -2 #7 0xb6f3352c in _ds_setall_spamrecords (CTX=CTX@entry=0xb57007a8, diction=diction@entry=0xb570d4d0) at storage_driver.c:94 ptr = optimized out #8 0xb6f292c8 in _ds_operate (CTX=CTX@entry=0xb57007a8, headers=optimized out, body=optimized out) at libdspam.c:1099 errcode = 0 diction = 0xb570d4d0 ds_term = 0x0 ds_c = optimized out heap_sort = 0xefda004f whitelist_token = 11166914970 do_whitelist = optimized out heap_sort_items = 27 #9 0xb6f29b64 in dspam_process (CTX=CTX@entry=0xb57007a8, message=0xb5704b18 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:6f8:1178:4:290:27ff:fe1d:cc33])\n\t(using TLSv1 with ci pher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby...) at libdspam.c:573 tp1 = {tv_sec = 1381179424, tv_usec = 996780} tp2 = {tv_sec = 160472, tv_usec = -1250944800} tzp = {tz_minuteswest = -120, tz_dsttime = 0} header = 0xb570ce68 body = 0xb5708400 spam_result = 0 is_toe = optimized out is_undertrain = 0 retcode = 0 #10 0x00012510 in process_message (ATX=ATX@entry=0xb57009f0, message=message@entry=0xb5700688, username=username@entry=0xb57018c0 m...@kleine-budde.de, result_string=0x0, result_string@entry=0xb60fd3f4) at dspam.c:541 CTX = 0xb57007a8 components = optimized out copyback = optimized out have_signature = optimized out result = optimized out i = optimized out internally_canned = 0 original_username = 0x0 #11 0x00013268 in process_users (ATX=ATX@entry=0xb57009f0, message=0x0, message@entry=0xb5701960) at dspam.c:1895 result_string = 0x0 result = optimized out s = {st_dev = 0, __pad1 = 0, st_ino = 0, st_mode = 0, st_nlink = 0, st_uid = 0, st_gid = 0, st_rdev = 0, __pad2 = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0}, __unused4 = 0, __unused5 = 0} username = 0xb57018c0 m...@kleine-budde.de recipient = m...@kleine-budde.de, '\000' repeats 235 times filename = /var/spool/dspam/opt-out/kleine-budde.de/marc.nodspam, '\000' repeats 2211 times... optin = 0 optout = optimized out i = optimized out have_rcpts = optimized out return_code = -1250949480 retcode = optimized out node_nt = 0xb57018e0 node_rcpt = 0x0 c_nt = {iter_index = 0xb57018e0} c_rcpt = {iter_index = 0x0} parse_message = 0xb5700688 presult = 0x0 plus = optimized out atsign = optimized out mailbox = '\000' repeats 255 times fout = 0x #12 0x000164ac in process_connection (ptr=0x1b32e58) at daemon.c:738 processmode = '\000' repeats 255 times server_ident = optimized out TTX = 0x1b32e58 ATX = 0xb57009f0 input = optimized out cmdline = 0xb5701938 DATA\r\n token = optimized out ptrptr = optimized out message = 0xb5701960 parms = optimized out p = optimized out i = 8 locked = 8 invalid = optimized out server_mode = 1 argv = {0x1cb00 dspam, 0xb5701848 --deliver=innocent,spam, 0xb5701860 -d, 0xb5701863 %u, 0x0 repeats 60 times} buf = 250 OK\000AM LMTP 3.10.2 Ready, '\000' repeats 996 times tries = 0 argc = optimized out fd = 0x0 regards,