Bug#326007: imapfilter: Immediately aborts with "* glibc detected * corrupted double-linked list: 0xb7d84218 ***"

Y Giridhar Appaji Nag Tue, 06 Sep 2005 04:40:02 -0700

Further information on this.

I build the lua50 debian packages and imapfilter without dh_strip from
the apt-gotten source packages in debian and these are some findings.


On 05/09/05 18:12 +0530, Y Giridhar Appaji Nag - Debian said ...
> On 05/09/01 09:35 +0200, Ulf Rompe said ...
> > 
> > imapfilter dies after setting up an imap connection:
> 
> In my case, it dies much before that.  Looks like just after initiating
> a CAPABILITY transaction.
> 
> I will do some more tests, try and compile with debugging symbols and
> run this under gdb to provide more data.

S (6): * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL 
ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc.  See 
COPYING for distribution information.
C (6): 1000 CAPABILITY
*** glibc detected *** corrupted double-linked list: 0x402de218 ***

Program received signal SIGABRT, Aborted.
0x401d29e7 in raise () from /lib/tls/libc.so.6
(gdb) bt
#0  0x401d29e7 in raise () from /lib/tls/libc.so.6
#1  0x401d431b in abort () from /lib/tls/libc.so.6
#2  0x40209365 in __fsetlocking () from /lib/tls/libc.so.6
#3  0x4020f50c in malloc_usable_size () from /lib/tls/libc.so.6
#4  0x402105ab in free () from /lib/tls/libc.so.6
#5  0x40211901 in calloc () from /lib/tls/libc.so.6
#6  0x40258679 in re_compile_pattern () from /lib/tls/libc.so.6
#7  0x4025bc96 in re_compile_pattern () from /lib/tls/libc.so.6
#8  0x4025ebeb in regexec () from /lib/tls/libc.so.6
#9  0x0804e62a in check_tag ()
#10 0x0804e812 in response_generic ()
#11 0x0804e8ea in response_capability ()
#12 0x0804dbf1 in request_login ()
#13 0x0804ada4 in ifcore_login ()
#14 0x40051d41 in luaD_precall (L=0x8083e50, func=0x8082d74) at ldo.c:260
#15 0x4006200a in luaV_execute (L=0x8083e50) at lvm.c:627
#16 0x400522ae in luaD_call (L=0x8083e50, func=0x8082d44, nResults=-1) at 
ldo.c:313
#17 0x4004c8a6 in f_call (L=0x8083e50, ud=0x0) at lapi.c:672
#18 0x40051923 in luaD_rawrunprotected (L=0x8083e50, f=0x4004c880 <f_call>, 
ud=0xbffffa74) at ldo.c:88
#19 0x4005290c in luaD_pcall (L=0x8083e50, func=0x4004c880 <f_call>, 
u=0xbffffa74, old_top=0, ef=0) at ldo.c:416
#20 0x4004dce8 in lua_pcall (L=0x8083e50, nargs=0, nresults=0, errfunc=0) at 
lapi.c:685
#21 0x0804cfb6 in start_lua ()
#22 0x0804c91c in main ()
(gdb)

I placed breakpoints at each of the above function calls and ran
commands to check for memory corruption at that point using mcheck

[snip...]
(gdb) b luaD_precall
Function "luaD_precall" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 9 (luaD_precall) pending.
(gdb) b ifcore_login
Breakpoint 10 at 0x804acb8
(gdb) b request_login
Breakpoint 11 at 0x804dadb
(gdb) b response_capability
Breakpoint 12 at 0x804e8db
[snip...]

Followed by ...

[snip...]
(gdb) command 9
Type commands for when breakpoint 9 is hit, one per line.
End with a line saying just "end".
>call mcheck(0)
>continue
>end
(gdb) command 10
Type commands for when breakpoint 10 is hit, one per line.
End with a line saying just "end".
>call mcheck(0)
>continue
>end
(gdb) command 11
Type commands for when breakpoint 11 is hit, one per line.
End with a line saying just "end".
>call mcheck(0)
>continue
>end
(gdb) command 12
Type commands for when breakpoint 12 is hit, one per line.
End with a line saying just "end".
>call mcheck(0)
>continue
>end
[snip...]

And ran it again.  This is what happens:

(gdb) r -v -c ~/.imapfilter/lists.lua
[snip...]
Breakpoint 24, luaD_precall (L=0x809a420, func=0x80992b0) at ldo.c:223
223       ptrdiff_t funcr = savestack(L, func);
$54 = 0

Breakpoint 24, luaD_precall (L=0x809a420, func=0x809928c) at ldo.c:223
223       ptrdiff_t funcr = savestack(L, func);
$55 = 0

Breakpoint 10, 0x0804acb8 in ifcore_login ()
$56 = 0

Breakpoint 11, 0x0804dadb in request_login ()
$57 = 0
block freed twice

Program received signal SIGABRT, Aborted.
0x401d29e7 in raise () from /lib/tls/libc.so.6
(gbd)

So looks like there is a double free in request_login.

(gdb) l request_login
No line number known for request_login.
(gdb) f 12
#12 0x0804db93 in request_login ()
(gdb) l
685       status = luaD_pcall(L, f_call, &c, savestack(L, c.func), func);
686       lua_unlock(L);
687       return status;
688     }
689
690
691     /*
692     ** Execute a protected C call.
693     */
694     struct CCallS {  /* data to `f_Ccall' */
(gdb)

But that shows up the last call for which the source was available.  I'll
try to figure out which package the request_login function is from and then
send in more updates.

Giridhar

-- 
Y Giridhar Appaji Nag | http://www.appaji.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#326007: imapfilter: Immediately aborts with "*** glibc detected *** corrupted double-linked list: 0xb7d84218 ***"

Reply via email to

Bug#326007: imapfilter: Immediately aborts with "* glibc detected * corrupted double-linked list: 0xb7d84218 ***"