Bug 38703 – libitalc is constantly crashing (segfault) in test environments if debuglevel was 2

Bug 38703 - libitalc is constantly crashing (segfault) in test environments if debuglevel was 2


Summary:	libitalc is constantly crashing (segfault) in test environments if debuglevel...

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	iTALC
Version:	UCS@school 3.2 R2
Hardware:	Other Linux

Importance:	P5 critical (vote)
Target Milestone:	UCS@school 3.2 R2 Errata
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Florian Best

URL:
Keywords:

Depends on:	38413
Blocks:	38415 40502
	Show dependency tree / graph

Reported:	2015-06-12 16:40 CEST by Sönke Schwardt-Krummrich
Modified:	2016-01-26 14:41 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2015-06-12 16:40:27 CEST

This has to be backported to UCS 3.2 R2.

+++ This bug was initially created as a clone of Bug #38413 +++

In several UCS@school test environments numerous segfaults of the UCS@school computerroom module were noticed:

root@slave81:~# dmesg | grep segfault | tail -1
[125430.710625] univention-mana[24783]: segfault at 0 ip 00007f86125ef16b sp 00007f85ef8107d8 error 6 in libc-2.13.so[7f8612566000+182000]
root@slave81:~# dmesg | grep univention-mana | grep -c segfault
39
root@slave81:~#

When raising the debug level of the UMC modules to 4, the segfault vanished but reappeared when lowering the debug level back to 2.
After enabling core dumps in the UMC server and UMC modules, I were able to catch a core dump of the UCS@school computerroom module that gave interesting information:

See bug 37280 on how to enable core dumps for UMC components. I added 
"ulimit -c unlimited" to /etc/init.d/univention-management-console-server and checked the limits of the UMC module after restarting the UMC server and opening the first UMC module (limit should be "unlimited"):

root@slave81:~# pgrep -f univention-management-console-module
24205
root@slave81:~# cat /proc/24205/limits | grep core
Max core file size        unlimited            unlimited            bytes     
root@slave81:~# 

Next I tried to trigger the segfault. The core file of the module process could be found as "/core".

# ucr set repository/online/unmaintained=yes
# univention-install libc6-dbg italc-dbg gdb
# gdb /usr/bin/python2.7 core
[…]
(gdb) bt
#0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:267
#1  0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172
#2  0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580
#3  0x00007f85f0a5f3ca in HandleTight32 (client=client@entry=0x2ff5e00, rx=0, ry=0, rw=800, rh=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:146
#4  0x00007f85f0a90d65 in HandleRFBServerMessage (client=0x2ff5e00) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:2101
#5  0x00007f85f0a647a2 in ItalcVncConnection::doConnection (this=this@entry=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:644
#6  0x00007f85f0a648c8 in ItalcVncConnection::run (this=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:524
#7  0x00007f861017cd0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#8  0x00007f8613199b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#9  0x00007f861264270d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#10 0x0000000000000000 in ?? ()
(gdb) up
#1  0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172
172	  case 32: COPY_RECT(32); break;
(gdb) print client->frameBuffer
Unhandled dwarf expression opcode 0xfa
(gdb) up
#2  0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580
580	    CopyRectangle(client, (uint8_t *)&client->buffer[RFB_BUFFER_SIZE / 2], x, y + dy, w, 1);
(gdb) print client->frameBuffer
$1 = (uint8_t *) 0x0
(gdb) 

It looks like it is not assured that the frameBuffer is already allocated when handling the first messages comming from the iTALC Windows client.

Comment 1 Sönke Schwardt-Krummrich

2015-06-12 17:44:11 CEST

Patches have been merged from ucs-school-4.0r2 (bug number in commit messages has not been changed accidently):

italc (2:2.0.18-5):
r61225 | Bug #38413: print status messages when applying patches
r61224 | Bug #38413: added additional null pointer check
r61223 | Bug #38413: updated copyright
r61222 | Bug #38413: backported safety check to prevent a segfault in libvncclient

Package has been rebuilt and pushed to 3.2 test appcenter into repository "ucsschool_20150225b". In 4.0 a symlink has been created: 
"ucsschool_20150225b" ==> "ucsschool_20150225". The 

A changelog entry has been added to the README_* files.

A test with the new package is pending.

Comment 2 Sönke Schwardt-Krummrich

2015-06-23 08:47:31 CEST

(In reply to Sönke Schwardt-Krummrich from comment #1)
> A test with the new package is pending.
No more problems observed on test machine after installing the patched version.

@QA: The app update has been prepared. Release notes will not be published; instead the README_* files of the app contain a corresponding changelog entry.
The appcenter.test repo has been prepared. Please test this, too.

Comment 3 Florian Best

2015-06-25 13:46:45 CEST

I could reproduce the segfault:
Jun 25 13:15:11 ucsmaster kernel: [ 5060.412772] univention-mana[14821]: segfault at 0 ip 00007fb6623bc1ab sp 00007fb642ab6738 error 6 in libc-2.11.3.so[7fb662339000+160000]

After patched italc + playing around no segfault occurred anymore.

README_* is OK.
REOPEN: the printermoderation package is in the repository, too.

Comment 4 Sönke Schwardt-Krummrich

2015-06-25 13:49:48 CEST

(In reply to Florian Best from comment #3)
> REOPEN: the printermoderation package is in the repository, too.

Fixed.

Comment 5 Florian Best

2015-06-25 14:01:51 CEST

(In reply to Sönke Schwardt-Krummrich from comment #4)
> (In reply to Florian Best from comment #3)
> > REOPEN: the printermoderation package is in the repository, too.
> 
> Fixed.
yep

Comment 6 Sönke Schwardt-Krummrich

2015-06-26 12:37:45 CEST

UCS@school 3.2 R2 v4 has been released.
No separate release notes document.

If this error occurs again, please use "Clone This Bug".