Bug#956119: asterisk: segfault in libspandsp.so.2.0.0 when using Set(FAXOPT(gateway)=yes, 30) between SIP and iax
Bernhard Übelacker
bernhardu at mailbox.org
Tue Apr 7 21:50:55 BST 2020
Dear Maintainer,
I tried to extract from the submitter's dmesg line the
source location of the crash.
I assume it happened here [1], with
variable s containing an invalid pointer:
0x00007ffff7f5bb90 in update_rx_timing at t38_gateway.c:2244
2242 static void update_rx_timing(t38_gateway_state_t *s, int len)
2243 {
2244 if (s->core.samples_to_timeout > 0)
2245 {
https://sources.debian.org/src/spandsp/0.0.6+dfsg-2/src/t38_gateway.c/#L2244
Maybe it is of some help.
But a proper backtrace like described in following link would probably
be way better: https://wiki.debian.org/HowToGetABacktrace
Kind regards,
Bernhard
-------------- next part --------------
From submitter:
[14509242.948899] asterisk[27070]: segfault at 2c7b4 ip 00007f9a52389b90 sp 00007f9a23d8a4f8 error 4 in libspandsp.so.2.0.0[7f9a5234d000+56000]
[14509242.948908] Code: 00 00 00 00 00 5b c3 0f 1f 00 e9 1b fd ff ff 0f 1f 00 e8 33 ef ff ff eb e2 90 e9 2b ef ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 <8b> 87 8c 2c 00 00 85 c0 7e 0c 29 f0 89 87 8c 2c 00 00 85 c0 7e 0a
# https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash
"error 4" == 0: no page found, 0: read access, 1: user-mode access
########
# Buster/stable amd64 qemu VM 2020-04-07
apt update
apt dist-upgrade
apt install systemd-coredump gdb asterisk asterisk-dbgsym libspandsp2-dbgsym
echo -n "find /b ..., ..., 0x" && \
echo "00 00 00 00 00 5b c3 0f 1f 00 e9 1b fd ff ff 0f 1f 00 e8 33 ef ff ff eb e2 90 e9 2b ef ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 <8b> 87 8c 2c 00 00 85 c0 7e 0c 29 f0 89 87 8c 2c 00 00 85 c0 7e 0a" \
| sed 's/[<>]//g' | sed 's/ /, 0x/g'
gdb -q
set width 0
set pagination off
file /usr/sbin/asterisk
set environment LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libspandsp.so.2.0.0
b main
run
dele 1
info share
find /b 0x00007ffff7f20520, 0x00007ffff7f7473f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5b, 0xc3, 0x0f, 0x1f, 0x00, 0xe9, 0x1b, 0xfd, 0xff, 0xff, 0x0f, 0x1f, 0x00, 0xe8, 0x33, 0xef, 0xff, 0xff, 0xeb, 0xe2, 0x90, 0xe9, 0x2b, 0xef, 0xff, 0xff, 0x66, 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0c, 0x29, 0xf0, 0x89, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0a
b * (0x7ffff7f5bb66 + 42)
info b
disassemble /r 0x7ffff7f5bb66, 0x7ffff7f5bb66 + 62
set max-value-size 100000
#########
benutzer at debian:~$ echo -n "find /b ..., ..., 0x" && \
> echo "00 00 00 00 00 5b c3 0f 1f 00 e9 1b fd ff ff 0f 1f 00 e8 33 ef ff ff eb e2 90 e9 2b ef ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 <8b> 87 8c 2c 00 00 85 c0 7e 0c 29 f0 89 87 8c 2c 00 00 85 c0 7e 0a" \
> | sed 's/[<>]//g' | sed 's/ /, 0x/g'
find /b ..., ..., 0x00, 0x00, 0x00, 0x00, 0x00, 0x5b, 0xc3, 0x0f, 0x1f, 0x00, 0xe9, 0x1b, 0xfd, 0xff, 0xff, 0x0f, 0x1f, 0x00, 0xe8, 0x33, 0xef, 0xff, 0xff, 0xeb, 0xe2, 0x90, 0xe9, 0x2b, 0xef, 0xff, 0xff, 0x66, 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0c, 0x29, 0xf0, 0x89, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0a
benutzer at debian:~$ gdb -q
(gdb) set width 0
(gdb) set pagination off
(gdb) file /usr/sbin/asterisk
Reading symbols from /usr/sbin/asterisk...Reading symbols from /usr/lib/debug/.build-id/23/f49a19a60d0fecbf537ba0f24d2f05792ccf44.debug...done.
done.
(gdb) set environment LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libspandsp.so.2.0.0
(gdb) b main
Breakpoint 1 at 0x42e40: file asterisk.c, line 3488.
(gdb) run
Starting program: /usr/sbin/asterisk
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=1, argv=0x7fffffffe5d8) at asterisk.c:3488
3488 asterisk.c: Datei oder Verzeichnis nicht gefunden.
(gdb) dele 1
(gdb) info share
From To Syms Read Shared Object Library
...
0x00007ffff7f20520 0x00007ffff7f7473f Yes /usr/lib/x86_64-linux-gnu/libspandsp.so.2.0.0
...
(*): Shared library is missing debugging information.
(gdb) find /b 0x00007ffff7f20520, 0x00007ffff7f7473f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5b, 0xc3, 0x0f, 0x1f, 0x00, 0xe9, 0x1b, 0xfd, 0xff, 0xff, 0x0f, 0x1f, 0x00, 0xe8, 0x33, 0xef, 0xff, 0xff, 0xeb, 0xe2, 0x90, 0xe9, 0x2b, 0xef, 0xff, 0xff, 0x66, 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0c, 0x29, 0xf0, 0x89, 0x87, 0x8c, 0x2c, 0x00, 0x00, 0x85, 0xc0, 0x7e, 0x0a
0x7ffff7f5bb66 <non_ecm_remove_fill_and_put_bit+134>
1 pattern found.
(gdb) b * (0x7ffff7f5bb66 + 42)
Breakpoint 2 at 0x7ffff7f5bb90: file t38_gateway.c, line 2244.
(gdb) info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x00007ffff7f5bb90 in update_rx_timing at t38_gateway.c:2244
(gdb) disassemble /r 0x7ffff7f5bb66, 0x7ffff7f5bb66 + 62
Dump of assembler code from 0x7ffff7f5bb66 to 0x7ffff7f5bba4:
0x00007ffff7f5bb66 <non_ecm_remove_fill_and_put_bit+134>: 00 00 add %al,(%rax)
0x00007ffff7f5bb68 <non_ecm_remove_fill_and_put_bit+136>: 00 00 add %al,(%rax)
0x00007ffff7f5bb6a <non_ecm_remove_fill_and_put_bit+138>: 00 5b c3 add %bl,-0x3d(%rbx)
0x00007ffff7f5bb6d <non_ecm_remove_fill_and_put_bit+141>: 0f 1f 00 nopl (%rax)
0x00007ffff7f5bb70 <non_ecm_remove_fill_and_put_bit+144>: e9 1b fd ff ff jmpq 0x7ffff7f5b890 <non_ecm_rx_status>
0x00007ffff7f5bb75 <non_ecm_remove_fill_and_put_bit+149>: 0f 1f 00 nopl (%rax)
0x00007ffff7f5bb78 <non_ecm_remove_fill_and_put_bit+152>: e8 33 ef ff ff callq 0x7ffff7f5aab0 <non_ecm_push>
0x00007ffff7f5bb7d <non_ecm_remove_fill_and_put_bit+157>: eb e2 jmp 0x7ffff7f5bb61 <non_ecm_remove_fill_and_put_bit+129>
0x00007ffff7f5bb7f <non_ecm_remove_fill_and_put_bit+159>: 90 nop
0x00007ffff7f5bb80 <non_ecm_remove_fill_and_put_bit+160>: e9 2b ef ff ff jmpq 0x7ffff7f5aab0 <non_ecm_push>
0x00007ffff7f5bb85: 66 66 2e 0f 1f 84 00 00 00 00 00 data16 nopw %cs:0x0(%rax,%rax,1)
>>>0x00007ffff7f5bb90 <update_rx_timing+0>: 8b 87 8c 2c 00 00 mov 0x2c8c(%rdi),%eax
0x00007ffff7f5bb96 <update_rx_timing+6>: 85 c0 test %eax,%eax
0x00007ffff7f5bb98 <update_rx_timing+8>: 7e 0c jle 0x7ffff7f5bba6 <update_rx_timing+22>
0x00007ffff7f5bb9a <update_rx_timing+10>: 29 f0 sub %esi,%eax
0x00007ffff7f5bb9c <update_rx_timing+12>: 89 87 8c 2c 00 00 mov %eax,0x2c8c(%rdi)
0x00007ffff7f5bba2 <update_rx_timing+18>: 85 c0 test %eax,%eax
End of assembler dump.
(gdb) set max-value-size 100000
(gdb) ptype /o t38_gateway_state_t
type = struct t38_gateway_state_s {
/* 0 | 232 */ t38_gateway_t38_state_t t38x;
/* 232 | 11120 */ t38_gateway_audio_state_t audio;
/* 11352 | 88256 */ t38_gateway_core_state_t core;
/* 99608 | 48 */ logging_state_t logging;
/* total size (bytes): 99656 */
}
(gdb) ptype /o t38_gateway_core_state_t
type = struct {
/* 0 | 4 */ int supported_modems;
/* 4 | 4 */ int ecm_allowed;
/* 8 | 4 */ int ms_per_tx_chunk;
/* 12 | 4 */ int short_train;
/* 16 | 4 */ int image_data_mode;
/* 20 | 4 */ int min_row_bits;
/* 24 | 4 */ int count_page_on_mcf;
/* 28 | 4 */ int pages_confirmed;
/* 32 | 4 */ int ecm_mode;
/* 36 | 4 */ int fast_bit_rate;
/* 40 | 4 */ int fast_rx_modem;
/* 44 | 4 */ int fast_rx_active;
/* 48 | 4 */ int timed_mode;
/* 52 | 4 */ int samples_to_timeout;
/* 56 | 2084 */ t38_gateway_to_t38_state_t to_t38;
/* 2140 | 69640 */ t38_gateway_hdlc_state_t hdlc_to_modem;
/* 71780 | 16456 */ t38_non_ecm_buffer_state_t non_ecm_to_modem;
/* XXX 4-byte hole */
/* 88240 | 8 */ t38_gateway_real_time_frame_handler_t *real_time_frame_handler;
/* 88248 | 8 */ void *real_time_frame_user_data;
/* total size (bytes): 88256 */
}
(gdb) print 11352 + 52
$1 = 11404
(gdb) print/x 11352 + 52
$2 = 0x2c8c
(gdb) print/x 0x2c7b4 - 11352 + 52
$3 = 0x29b90
https://sources.debian.org/src/spandsp/0.0.6+dfsg-2/src/t38_gateway.c/#L2244
2242 static void update_rx_timing(t38_gateway_state_t *s, int len)
2243 {
2244 if (s->core.samples_to_timeout > 0)
2245 {
https://wiki.debian.org/HowToGetABacktrace
More information about the Pkg-voip-maintainers
mailing list