770132 – Zarafa is crashing due to wrong/broken file descriptors check in GLIBC

Bug 770132 - Zarafa is crashing due to wrong/broken file descriptors check in GLIBC

Summary: Zarafa is crashing due to wrong/broken file descriptors check in GLIBC

Keywords:
Status:	CLOSED DUPLICATE of bug 760888
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	16
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Jeff Law
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	760888
TreeView+	depends on / blocked

Reported:	2011-12-23 14:29 UTC by Robert Scheck
Modified:	2016-11-24 15:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-28 05:32:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robert Scheck 2011-12-23 14:29:09 UTC

Description of problem:
Zarafa is crashing due to wrong/broken file descriptors check in GLIBC:

>   if (d >= FD_SETSIZE)
>     __chk_fail ();
> glibc/debug/fdelt_chk.c

This check is wrong according to the Zarafa developers.

See also bug #760888 for more technical details. If needed, there is also
a virtual machine with Fedora 16 and Zarafa including gdb and valgrind where 
the issue can be reproduced on-the-fly. Just let me know, if it's needed.

Version-Release number of selected component (if applicable):
glibc-2.14.90-21.x86_64
zarafa-7.0.3-2.x86_64

How reproducible:
Everytime, see above and below.

Steps to Reproduce:
1. Fedora 16 minimal installation with all updates
2. yum install --enablerepo=fedora-updates-testing "zarafa*" mysql-server
3. Configure Zarafa
4. service mysqld start
5. service zarafa-server start
6. zarafa-admin -l
7. Find the crash in /var/log/zarafa/server.log
  
Actual results:
Zarafa is crashing due to wrong/broken file descriptors check in GLIBC.

Expected results:
Zarafa should not crash like in older Fedora or RHEL releases.

Additional info:
[root@localhost ~]# gdb zarafa-server
GNU gdb (GDB) Fedora (7.3.50.20110722-10.fc16)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/zarafa-server...Reading symbols from
/usr/lib/debug/usr/bin/zarafa-server.debug...done.
done.
(gdb) run -F
Starting program: /usr/bin/zarafa-server -F
warning: "/usr/lib/debug/usr/lib64/libicudata.so.46.0.debug": separate debug
info file has no debug info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Detaching after fork from child process 2135.
[New Thread 0x7fffec5ea700 (LWP 2136)]
[Thread 0x7fffec5ea700 (LWP 2136) exited]
[New Thread 0x7fffec5ea700 (LWP 2138)]
[New Thread 0x7fffebde9700 (LWP 2140)]
[New Thread 0x7fffeb5e8700 (LWP 2141)]
[New Thread 0x7fffeade7700 (LWP 2142)]
[New Thread 0x7fffea5e6700 (LWP 2144)]
[New Thread 0x7fffe9de5700 (LWP 2146)]
[New Thread 0x7fffe95e4700 (LWP 2147)]
[New Thread 0x7fffe8de3700 (LWP 2148)]
[New Thread 0x7fffe3fff700 (LWP 2149)]
[New Thread 0x7fffe37fe700 (LWP 2150)]
[New Thread 0x7fffe2ffd700 (LWP 2151)]
[New Thread 0x7fffe27fc700 (LWP 2152)]
[New Thread 0x7fffe1ffb700 (LWP 2153)]
[New Thread 0x7fffe17fa700 (LWP 2154)]
[New Thread 0x7fffe0ff9700 (LWP 2155)]
*** buffer overflow detected ***: /usr/bin/zarafa-server terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff3783f77]
/lib64/libc.so.6(+0x104ef0)[0x7ffff3781ef0]
/lib64/libc.so.6(+0x106f2e)[0x7ffff3783f2e]
/usr/bin/zarafa-server[0x5fa6a1]
/usr/bin/zarafa-server(soap_recv_raw+0xc8)[0x5fa9c8]
/usr/bin/zarafa-server(soap_getchar+0x4d)[0x5fb33d]
/usr/bin/zarafa-server(soap_begin_recv+0x1fa)[0x60d56a]
/usr/bin/zarafa-server(_ZN14ECWorkerThread4WorkEPv+0x95)[0x4c0245]
/lib64/libpthread.so.0(+0x7d90)[0x7ffff594cd90]
/lib64/libc.so.6(clone+0x6d)[0x7ffff376c3dd]
======= Memory map: ========
00400000-007ad000 r-xp 00000000 fd:01 18197                             
/usr/bin/zarafa-server
009ac000-009b7000 rw-p 003ac000 fd:01 18197                             
/usr/bin/zarafa-server
009b7000-00ab1000 rw-p 00000000 00:00 0                                  [heap]
7fffdc000000-7fffdc021000 rw-p 00000000 00:00 0 
7fffdc021000-7fffe0000000 ---p 00000000 00:00 0 
7fffe07f9000-7fffe07fa000 ---p 00000000 00:00 0 
7fffe07fa000-7fffe0ffa000 rw-p 00000000 00:00 0 
7fffe0ffa000-7fffe0ffb000 ---p 00000000 00:00 0 
7fffe0ffb000-7fffe17fb000 rw-p 00000000 00:00 0 
7fffe17fb000-7fffe17fc000 ---p 00000000 00:00 0 
7fffe17fc000-7fffe1ffc000 rw-p 00000000 00:00 0 
7fffe1ffc000-7fffe1ffd000 ---p 00000000 00:00 0 
7fffe1ffd000-7fffe27fd000 rw-p 00000000 00:00 0 
7fffe27fd000-7fffe27fe000 ---p 00000000 00:00 0 
7fffe27fe000-7fffe2ffe000 rw-p 00000000 00:00 0 
7fffe2ffe000-7fffe2fff000 ---p 00000000 00:00 0 
7fffe2fff000-7fffe37ff000 rw-p 00000000 00:00 0 
7fffe37ff000-7fffe3800000 ---p 00000000 00:00 0 
7fffe3800000-7fffe4000000 rw-p 00000000 00:00 0 
7fffe4000000-7fffe4021000 rw-p 00000000 00:00 0 
7fffe4021000-7fffe8000000 ---p 00000000 00:00 0 
7fffe85e3000-7fffe85e4000 ---p 00000000 00:00 0 
7fffe85e4000-7fffe8de4000 rw-p 00000000 00:00 0 
7fffe8de4000-7fffe8de5000 ---p 00000000 00:00 0 
7fffe8de5000-7fffe95e5000 rw-p 00000000 00:00 0 
7fffe95e5000-7fffe95e6000 ---p 00000000 00:00 0 
7fffe95e6000-7fffe9de6000 rw-p 00000000 00:00 0 
7fffe9de6000-7fffe9de7000 ---p 00000000 00:00 0 
7fffe9de7000-7fffea5e7000 rw-p 00000000 00:00 0 
7fffea5e7000-7fffea5e8000 ---p 00000000 00:00 0 
7fffea5e8000-7fffeade8000 rw-p 00000000 00:00 0 
7fffeade8000-7fffeade9000 ---p 00000000 00:00 0 
7fffeade9000-7fffeb5e9000 rw-p 00000000 00:00 0 
7fffeb5e9000-7fffeb5ea000 ---p 00000000 00:00 0 
7fffeb5ea000-7fffebdea000 rw-p 00000000 00:00 0 
7fffebdea000-7fffebdeb000 ---p 00000000 00:00 0 
7fffebdeb000-7fffec5eb000 rw-p 00000000 00:00 0 
7fffec5eb000-7fffec5f7000 r-xp 00000000 fd:01 3944                      
/lib64/libnss_files-2.14.90.so
7fffec5f7000-7fffec7f6000 ---p 0000c000 fd:01 3944                      
/lib64/libnss_files-2.14.90.so
7fffec7f6000-7fffec7f7000 r--p 0000b000 fd:01 3944                      
/lib64/libnss_files-2.14.90.so
7fffec7f7000-7fffec7f8000 rw-p 0000c000 fd:01 3944                      
/lib64/libnss_files-2.14.90.so
7fffec7f8000-7ffff2c1b000 r--p 00000000 fd:01 4243                      
/usr/lib/locale/locale-archive
7ffff2c1b000-7ffff2c38000 r-xp 00000000 fd:01 4359                      
/lib64/libselinux.so.1
7ffff2c38000-7ffff2e38000 ---p 0001d000 fd:01 4359                      
/lib64/libselinux.so.1
7ffff2e38000-7ffff2e39000 r--p 0001d000 fd:01 4359                      
/lib64/libselinux.so.1
7ffff2e39000-7ffff2e3a000 rw-p 0001e000 fd:01 4359                      
/lib64/libselinux.so.1
7ffff2e3a000-7ffff2e3b000 rw-p 00000000 00:00 0 
7ffff2e3b000-7ffff2e53000 r-xp 00000000 fd:01 3954                      
/lib64/libresolv-2.14.90.so
7ffff2e53000-7ffff3053000 ---p 00018000 fd:01 3954                      
/lib64/libresolv-2.14.90.so
7ffff3053000-7ffff3054000 r--p 00018000 fd:01 3954                      
/lib64/libresolv-2.14.90.so
7ffff3054000-7ffff3055000 rw-p 00019000 fd:01 3954                      
/lib64/libresolv-2.14.90.so
7ffff3055000-7ffff3057000 rw-p 00000000 00:00 0 
7ffff3057000-7ffff3059000 r-xp 00000000 fd:01 4986                      
/lib64/libkeyutils.so.1.4
7ffff3059000-7ffff3259000 ---p 00002000 fd:01 4986                      
/lib64/libkeyutils.so.1.4
7ffff3259000-7ffff325a000 rw-p 00002000 fd:01 4986                      
/lib64/libkeyutils.so.1.4
7ffff325a000-7ffff3264000 r-xp 00000000 fd:01 4998                      
/lib64/libkrb5support.so.0.1
7ffff3264000-7ffff3463000 ---p 0000a000 fd:01 4998                      
/lib64/libkrb5support.so.0.1
7ffff3463000-7ffff3464000 r--p 00009000 fd:01 4998                      
/lib64/libkrb5support.so.0.1
7ffff3464000-7ffff3465000 rw-p 0000a000 fd:01 4998                      
/lib64/libkrb5support.so.0.1
7ffff3465000-7ffff347c000 r-xp 00000000 fd:01 4424                      
/lib64/libaudit.so.1.0.0
7ffff347c000-7ffff367b000 ---p 00017000 fd:01 4424                      
/lib64/libaudit.so.1.0.0
7ffff367b000-7ffff367c000 r--p 00016000 fd:01 4424                      
/lib64/libaudit.so.1.0.0
7ffff367c000-7ffff367d000 rw-p 00017000 fd:01 4424                      
/lib64/libaudit.so.1.0.0
7ffff367d000-7ffff3828000 r-xp 00000000 fd:01 3926                      
/lib64/libc-2.14.90.so
7ffff3828000-7ffff3a28000 ---p 001ab000 fd:01 3926                      
/lib64/libc-2.14.90.so
7ffff3a28000-7ffff3a2c000 r--p 001ab000 fd:01 3926                      
/lib64/libc-2.14.90.so
7ffff3a2c000-7ffff3a2e000 rw-p 001af000 fd:01 3926                      
/lib64/libc-2.14.90.so
7ffff3a2e000-7ffff3a33000 rw-p 00000000 00:00 0 
7ffff3a33000-7ffff3a48000 r-xp 00000000 fd:01 308                       
/lib64/libgcc_s-4.6.2-20111027.so.1
7ffff3a48000-7ffff3c47000 ---p 00015000 fd:01 308                       
/lib64/libgcc_s-4.6.2-20111027.so.1
7ffff3c47000-7ffff3c48000 rw-p 00014000 fd:01 308                       
/lib64/libgcc_s-4.6.2-20111027.so.1
7ffff3c48000-7ffff3ccb000 r-xp 00000000 fd:01 3934                      
/lib64/libm-2.14.90.so
7ffff3ccb000-7ffff3eca000 ---p 00083000 fd:01 3934                      
/lib64/libm-2.14.90.so
7ffff3eca000-7ffff3ecb000 r--p 00082000 fd:01 3934                      
/lib64/libm-2.14.90.so
7ffff3ecb000-7ffff3ecc000 rw-p 00083000 fd:01 3934                      
/lib64/libm-2.14.90.so
7ffff3ecc000-7ffff3fb5000 r-xp 00000000 fd:01 4864                      
/usr/lib64/libstdc++.so.6.0.16
7ffff3fb5000-7ffff41b4000 ---p 000e9000 fd:01 4864                      
/usr/lib64/libstdc++.so.6.0.16
7ffff41b4000-7ffff41bc000 r--p 000e8000 fd:01 4864                      
/usr/lib64/libstdc++.so.6.0.16
7ffff41bc000-7ffff41be000 rw-p 000f0000 fd:01 4864                      
/usr/lib64/libstdc++.so.6.0.16
7ffff41be000-7ffff41d3000 rw-p 00000000 00:00 0 
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffe2ffd700 (LWP 2151)]
0x00007ffff36b3285 in __GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64   return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt full
#0  0x00007ffff36b3285 in __GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <optimized out>
        selftid = 2151
#1  0x00007ffff36b4b9b in __GI_abort () at abort.c:91
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4},
sa_mask = {__val = {5, 140737354065072, 16, 140737278565759, 1,
140737277128913, 5, 140737278569985, 3, 140737001799422, 2, 140737278565706, 1, 
              140737278574539, 3, 140737001799396}}, sa_flags = 12, sa_restorer
= 0x7ffff37effcf}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007ffff36f2fae in __libc_message (do_abort=2, fmt=0x7ffff37f003b "***
%s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
        ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffe2ffc7e0, reg_save_area = 0x7fffe2ffc6f0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7fffe2ffc7e0, reg_save_area = 0x7fffe2ffc6f0}}
        fd = 14
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00007ffff3783f77 in __GI___fortify_fail (msg=0x7ffff37effd2 "buffer
overflow detected") at fortify_fail.c:32
No locals.
#4  0x00007ffff3781ef0 in __GI___chk_fail () at chk_fail.c:29
No locals.
#5  0x00007ffff3783f2e in __fdelt_chk (d=<optimized out>) at fdelt_chk.c:26
No locals.
#6  0x00000000005fa6a1 in frecv (soap=0xa74f30, s=0xa7b060 "", n=65536) at
stdsoap2.cpp:887
        __d = <optimized out>
        timeout = {tv_sec = 60, tv_usec = 0}
        fd = {fds_bits = {0 <repeats 128 times>}}
        err = 0
        r = <optimized out>
#7  0x00000000005fa9c8 in soap_recv_raw (soap=0xa74f30) at stdsoap2.cpp:1167
        ret = <optimized out>
#8  0x00000000005fb33d in soap_getchar (soap=0xa74f30) at stdsoap2.cpp:1303
No locals.
#9  soap_getchar (soap=0xa74f30) at stdsoap2.cpp:1295
No locals.
#10 0x000000000060d56a in soap_begin_recv (soap=0xa74f30) at stdsoap2.cpp:12929
        c = <optimized out>
#11 0x00000000004c0245 in ECWorkerThread::Work (lpParam=0xa74670) at
ECThreadManager.cpp:189
        dblStart = 1324415053.9046531
        lpThis = 0xa74670
        lpWorkItem = 0xa90800
        err = 0
        er = <optimized out>
        fStop = false
#12 0x00007ffff594cd90 in start_thread (arg=0x7fffe2ffd700) at
pthread_create.c:309
        __res = <optimized out>
        pd = 0x7fffe2ffd700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1, 1677272379085254327,
140737313595424, 140737001806272, 0, 3, -1677278977823904073,
-1677250570931179849}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0,
0x0}, 
            data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#13 0x00007ffff376c3dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:115
No locals.
(gdb)

Comment 1 Jeff Law 2011-12-28 05:32:03 UTC


*** This bug has been marked as a duplicate of bug 76088 ***

Comment 2 Robert Scheck 2011-12-28 07:28:10 UTC

It's 760888, not 76088 ;-)

*** This bug has been marked as a duplicate of bug 760888 ***

Note You need to log in before you can comment on or make changes to this bug.