Bug#867303: Segmentation fault in `copy_record_version()`

Paul Menzel pm.debian at googlemail.com
Wed Jul 5 15:45:15 UTC 2017 

Package: libgnutls30
Version: 3.5.13-2
Severity: normal

Dear Debian folks,


Evolution 3.22.6 crashed this morning, while communicating with an IMAP server.

Here is the trace.

```
kernel: pool[19218]: segfault at c ip a51f8bb9 sp 93afdaa0 error 4 in libgnutls.so.30.14.5[a51db000+1bd000]
```

Here is the trace.

```
Program terminated with signal SIGSEGV, Segmentation fault.
#0  copy_record_version (version=0xa4695d6c "", htype=4294967295, session=0xa4624c10) at record.c:370
370	record.c: Datei oder Verzeichnis nicht gefunden.
[Current thread is 1 (Thread 0x93afeb40 (LWP 19218))]
(gdb) bt
#0  0xa51f8bb9 in copy_record_version (version=0xa4695d6c "", htype=4294967295, session=0xa4624c10) at record.c:370
#1  0xa51f8bb9 in _gnutls_send_tlen_int (session=0xa4624c10, type=GNUTLS_APPLICATION_DATA, htype=4294967295, epoch_rel=70001, _data=0xa4620000, data_size=19, min_pad=0, mflags=1) at record.c:496
#2  0xa51faf38 in _gnutls_send_int (mflags=1, data_size=19, _data=0xa4620000, epoch_rel=70001, htype=4294967295, type=GNUTLS_APPLICATION_DATA, session=0xa4624c10) at record.h:43
#3  0xa51faf38 in gnutls_record_send (session=0xa4624c10, data=0xa4620000, data_size=19) at record.c:1628
#4  0xa48896c6 in g_tls_connection_gnutls_write (gnutls=0x87b9aad0 [GTlsClientConnectionGnutls], buffer=0xa4620000, count=19, blocking=1, cancellable=0x0, error=0x0) at gtlsconnection-gnutls.c:1599
#5  0xa488c03d in g_tls_output_stream_gnutls_write (stream=0x8769ca88 [GTlsOutputStreamGnutls], buffer=0xa4620000, count=19, cancellable=0x0, error=0x0) at gtlsoutputstream-gnutls.c:71
#6  0xb38ec425 in g_output_stream_write (stream=0x8769ca88 [GTlsOutputStreamGnutls], buffer=0xa4620000, count=19, cancellable=0x0, error=0x0) at ././gio/goutputstream.c:222
#7  0xb38ee9e3 in g_pollable_stream_write (stream=0x8769ca88 [GTlsOutputStreamGnutls], buffer=0xa4620000, count=19, blocking=1, cancellable=0x0, error=0x0) at ././gio/gpollableutils.c:250
#8  0xb38eea57 in g_pollable_stream_write_all (stream=0x8769ca88 [GTlsOutputStreamGnutls], buffer=0xa4620000, count=19, blocking=1, bytes_written=0x93afdca8, cancellable=0x0, error=0x0) at ././gio/gpollableutils.c:312
#9  0xb38b7f36 in flush_buffer (stream=stream at entry=0x87c52e50 [GConverterOutputStream], blocking=blocking at entry=1, cancellable=cancellable at entry=0x0, error=0x0) at ././gio/gconverteroutputstream.c:381
#10 0xb38b855b in g_converter_output_stream_flush (stream=0x87c52e50 [GConverterOutputStream], cancellable=0x0, error=0x0)
    at ././gio/gconverteroutputstream.c:562
#11 0xb38ea8b5 in g_output_stream_internal_close (stream=stream at entry=0x87c52e50 [GConverterOutputStream], cancellable=cancellable at entry=0x0, error=error at entry=0x0) at ././gio/goutputstream.c:642
#12 0xb38ecbfb in g_output_stream_close (stream=0x87c52e50 [GConverterOutputStream], cancellable=0x0, error=0x0)
    at ././gio/goutputstream.c:723
#13 0xb38ecc49 in g_output_stream_dispose (object=0x87c52e50 [GConverterOutputStream]) at ././gio/goutputstream.c:121
#14 0xb38d800e in g_filter_output_stream_dispose (object=0x87c52e50 [GConverterOutputStream]) at ././gio/gfilteroutputstream.c:175
#15 0xb383a539 in g_object_unref (_object=0x87c52e50) at ././gobject/gobject.c:3148
#16 0xa64c0289 in imapx_connect_to_server (is=is at entry=0x87d9ffb0 [CamelIMAPXServer], cancellable=cancellable at entry=0x876a44e0 [CamelOperation], error=error at entry=0x93afdf68) at camel-imapx-server.c:2918
#17 0xa64c540e in imapx_reconnect (error=0x93afdf68, cancellable=<optimized out>, is=0x87d9ffb0 [CamelIMAPXServer])
    at camel-imapx-server.c:3147
#18 0xa64c540e in camel_imapx_server_connect_sync (is=0x87d9ffb0 [CamelIMAPXServer], cancellable=0x876a44e0 [CamelOperation], error=0x93afdf68) at camel-imapx-server.c:3982
#19 0xa64aa79e in imapx_create_new_connection_unlocked (error=0x93afdf68, cancellable=0x876a44e0 [CamelOperation], mailbox=0x0, conn_man=0x8105f320 [CamelIMAPXConnManager]) at camel-imapx-conn-manager.c:773
#20 0xa64aa79e in camel_imapx_conn_manager_ref_connection (conn_man=conn_man at entry=0x8105f320 [CamelIMAPXConnManager], mailbox=mailbox at entry=0x0, out_is_new_connection=out_is_new_connection at entry=0x0, cancellable=0x876a44e0 [CamelOperation], error=0x93afe018)
    at camel-imapx-conn-manager.c:902
#21 0xa64aad20 in camel_imapx_conn_manager_connect_sync (conn_man=0x8105f320 [CamelIMAPXConnManager], cancellable=0x876a44e0 [CamelOperation], error=0x93afe018) at camel-imapx-conn-manager.c:1028
#22 0xa64cf8f0 in imapx_connect_sync (service=0x80d7b6e8 [CamelIMAPXStore], cancellable=0x876a44e0 [CamelOperation], error=0x93afe018)
    at camel-imapx-store.c:792
#23 0xb6f23d7e in service_shared_connect_thread (task=0xa6d8ddb0 [GTask], source_object=0x80d7b6e8, task_data=0x0, cancellable=0x876a44e0 [CamelOperation]) at camel-service.c:558
#24 0xb390986d in g_task_thread_pool_thread (thread_data=0xa6d8ddb0, pool_data=0x0) at ././gio/gtask.c:1328
#25 0xb376b338 in g_thread_pool_thread_proxy (data=0x80f34308) at ././glib/gthreadpool.c:307
#26 0xb376a8ca in g_thread_proxy (data=0x8877ee60) at ././glib/gthread.c:784
#27 0xb6e1427a in start_thread (arg=0x93afeb40) at pthread_create.c:333
#28 0xb362bad6 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:110
```

Searching the Web brought up Debian bug report #844061 [1].
Unfortunately I am unable to reproduce my issue.

```
#0  0xa51f8bb9 in copy_record_version (version=0xa4695d6c "", htype=4294967295, session=0xa4624c10) at record.c:370
        bufel = 0xa4695d30
        cipher_size = 16719
        retval = <optimized out>
        ret = <optimized out>
        send_data_size = 19
        data = 0xa4620000 "A00001 CAPABILITY\r\n/TLS negotiation now.\r\nN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED] Courier-IMAP ready. Copyright 1998-2011 Double Prec"...
        record_params = 0x944d4328
        record_state = <optimized out>
        __func__ = "_gnutls_send_tlen_int"
```

Looking at the code [2], it looks like `version[0] = lver->major;` is
the offending line. But trying to access it in GDB, the variable `lver`
is optimized out.

```
(gdb) p lver
$1 = <optimized out>
```

So I do not know, how to further debug the issue.

Please tell me, if you want me to report that issue upstream too.


Thanks,

Paul


[1] https://bugs.debian.org/844061

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.11.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages libgnutls30 depends on:
ii  libc6        2.24-12
ii  libgmp10     2:6.1.2+dfsg-1
ii  libhogweed4  3.3-1+b1
ii  libidn2-0    0.16-1
ii  libnettle6   3.3-1+b1
ii  libp11-kit0  0.23.3-5
ii  libtasn1-6   4.12-2
ii  zlib1g       1:1.2.8.dfsg-5

libgnutls30 recommends no packages.

Versions of packages libgnutls30 suggests:
ii  gnutls-bin  3.5.13-2

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170705/f3874e96/attachment.sig>

More information about the Pkg-gnutls-maint mailing list