Bug#548894: Strange segfaults at exit, suspected: gcc optimisation.
Package: vtun
Version: 3.0.2-1.1
Severity: important
Hello,
Disclaimer 1: this bug appears both in 3.0.2-1.1 available in lenny and in
3.0.2-2 compiled on my own using lenny toolchain/chroot - I only made one
change - I've commented dh_strip from debian/rules to be able to run
gdb.
Disclaimer 2: I am Cc-ing gcc maintainers because I suspect this could be
the main reason of this bug. Please reassing the bug to gcc package if
appropriate.
I noticed that vtund is segfaulting at exit on both client and server side.
Results of debugging the client side are strange.
First: tail of gdb output from original 3.0.2-1.1 package after using kill PID:
Program received signal SIGTERM, Terminated.
0xb7f07424 in __kernel_vsyscall ()
(gdb) c
Continuing.
vtund[21632]: Closing connection
Program received signal SIGSEGV, Segmentation fault.
0xb7c811bb in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7c811bb in strlen () from /lib/i686/cmov/libc.so.6
#1 0xb7c4d648 in vfprintf () from /lib/i686/cmov/libc.so.6
#2 0xb7c6bcdc in vsprintf () from /lib/i686/cmov/libc.so.6
#3 0x0804e714 in ?? ()
#4 0xbff23185 in ?? ()
#5 0x08055e07 in ?? ()
#6 0xbff23294 in ?? ()
#7 0x00000000 in ?? ()
Now: gdb output from 3.0.2-2 (with debug symbols):
Program received signal SIGTERM, Terminated.
0xb7f72424 in __kernel_vsyscall ()
(gdb) c
Continuing.
vtund[23222]: Closing connection
Program received signal SIGSEGV, Segmentation fault.
0xb7cec1bb in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7cec1bb in strlen () from /lib/i686/cmov/libc.so.6
#1 0xb7cb8648 in vfprintf () from /lib/i686/cmov/libc.so.6
#2 0xb7cd6cdc in vsprintf () from /lib/i686/cmov/libc.so.6
#3 0x0804e714 in set_title (fmt=0x8055e07 "%s running down commands")
at lib.c:102
#4 0x0804f62d in tunnel (host=0x9f85300) at tunnel.c:225
#5 0x0804df2a in client (host=0x9f853f8) at client.c:141
#6 0x0804a917 in main (argc=4, argv=0xbfd8e384, env=0xbfd8e398) at main.c:218
Look at value of host parameter in frames 4 and 5.
Let's look at line 223 of tunnel.c file:
opt = linkfd(host);
Just before this line host has vaule 0x9f853f8 - it's correct.
Just after return from linkfd function there is 0x9f85300.
Segfault comes from piece of code running from next line:
set_title("%s running down commands", host->host);
Because host points to invalid fragment of memory and then reference to
host->host causes segfault.
But there is more.
File linkfd.c, line 350. Just at the beginning of linkfd function
host has still value 0x9f853f8. End of this function is:
setpriority(PRIO_PROCESS,0,old_prio);
return linker_term;
}
between setpriority and return lines host still has value 0x9f853f8. And
suddenly, after returning to tunnel function host is 0x9f85300.
Why I suspect it could be gcc problem?
First I applied followinf patch to the sources:
--- vtun-3.0.2.orig/linkfd.c
+++ vtun-3.0.2/linkfd.c
@@ -353,6 +353,7 @@
int old_prio;
lfd_host = host;
+ vtun_syslog(LOG_NOTICE,"linkfd begin - host=%p",host);
old_prio=getpriority(PRIO_PROCESS,0);
setpriority(PRIO_PROCESS,0,LINKFD_PRIO);
@@ -419,5 +420,6 @@
setpriority(PRIO_PROCESS,0,old_prio);
+ vtun_syslog(LOG_NOTICE,"linkfd end - host=%p",host);
return linker_term;
}
--- vtun-3.0.2.orig/tunnel.c
+++ vtun-3.0.2/tunnel.c
@@ -220,7 +220,9 @@
break;
}
+ vtun_syslog(LOG_NOTICE,"tunnel.c pre - host=%p",host);
opt = linkfd(host);
+ vtun_syslog(LOG_NOTICE,"tunnel.c post - host=%p",host);
set_title("%s running down commands", host->host);
llist_trav(&host->down, run_cmd, &host->sopt);
---- here is end of patch ----
and everything went smoothly. After killing the client it closed itself
without segfaults.
My next step was removing mentioned patch and adding DEB_BUILD_OPTIONS=noopt.
vtun compiled with -O0 instead of -O2 works correctly and closes without
segfault.
If you wish to compare binaries I use, I put all of them here:
http://hell.pl/arturcz/vtun/
ac0 is default 3.0.2-2 but without dh_strip
ac1 is like ac0 but with additional syslog messages (mentioned above patch)
ac2 is like ac0 but compiled with -O0 instead of -O2.
For compilation of all above I used freshly update pbuilder image
of lenny with following gcc version:
root@szczaw:/# gcc --version
gcc (Debian 4.3.2-1.1) 4.3.2
Copyright (C) 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Best regards
Artur
-- System Information:
Debian Release: 5.0.3
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vtun depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.9-6 GNU C Library: Shared libraries
ii liblzo2-2 2.03-1 data compression library
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
vtun recommends no packages.
vtun suggests no packages.
-- no debconf information
Reply to: