Ubuntu
elmo package

elmo crashes on startup

Bug #3122 reported by Chris Moore on 2005-10-14

Affects		Status	Importance	Assigned to	Milestone
	elmo (Ubuntu)	Fix Released	High	MOTU Reviewers Team

Bug Description

$ elmo
Segmentation fault

I tried the problem to this code in ask.c:

        result->cd = confhold_open (name);
        if (result->cd == -1){
                confhold_close (result->cd);

and this code in confhold.c:

  confhold_close (int cd)
  {
        conf_table[cd].unused = 1;
  }

notice that the 'cd' argument to confhold_close is -1. that's used as an array index, which overwrites the value of variable_table:

from confhold.c:

static conf_t conf_table[CONF_SIZE];
static htable_t *variable_table = NULL;

Removing the call to confhold_close fixes this bug:

--- Backup/ask.c.~1~ 2004-06-13 22:07:54.000000000 +0200
+++ ask.c 2005-10-14 03:43:24.000000000 +0200
@@ -143,7 +143,6 @@

         result->cd = confhold_open (name);
         if (result->cd == -1){
- confhold_close (result->cd);
                 xfree (result);
                 return NULL;
         }

Revision history for this message

Sebastien Bacher (seb128) wrote on 2005-10-14:

do you have a backtrace of the crash? A rebuild fixes the issue with the current package

Changed in elmo:
assignee:	nobody → motu

Revision history for this message

Chris Moore (dooglus) wrote on 2005-10-14:

The backtrace I get from the packaged binary is useless, and I've removed my source tree of it now after fixing the problem.

But the error is plain to see - look at the source fragments I pointed out. It's writing to element "minus one" of an array. The overwrites space it shouldn't.

I found that rebuilding without the -O3 flag made the bug go away - possibly due to the static memory being spaced out differently, I don't know.

Revision history for this message

Chris Moore (dooglus) wrote on 2005-10-14:

OK, refetched the source.

First I show a watchpoint on the corrupted variable - a pointer gets set to 1.

Then I show the crash. The pointer to address 1 gets dereferenced:

Script started on Fri 14 Oct 2005 14:50:08 CEST
chris@chrislap:~/src/elmo/elmo-1.3.0/src$ gdb ./elmo
GNU gdb 6.3-debian

(gdb) watch variable_table
Hardware watchpoint 1: variable_table
(gdb) run
Starting program: /home/chris/src/elmo/elmo-1.3.0/src/elmo
Hardware watchpoint 1: variable_table

Old value = (htable_t *) 0x0
New value = (htable_t *) 0x80b5ec0
confhold_init () at confhold.c:171
171 values_table = htable_create (6);
(gdb) c
Continuing.
Hardware watchpoint 1: variable_table

Old value = (htable_t *) 0x80b5ec0
New value = (htable_t *) 0x1
confhold_close (cd=-16) at confhold.c:273
273 }
(gdb) print variable_table
$1 = (htable_t *) 0x1
(gdb) where
#0 confhold_close (cd=-16) at confhold.c:273
#1 0x0807991c in ask_select_default (name=0x8085bd4 "win_echo") at ask.c:146
#2 0x0804e173 in interface_init () at cmd.inc:57
#3 0x0804e4ba in cmd_init () at cmd.c:457
#4 0x0804afc9 in main (argc=1, argv=0xbfc911a4) at elmo.c:276
(gdb) quit
The program is running. Exit anyway? (y or n) y
chris@chrislap:~/src/elmo/elmo-1.3.0/src$
Script done on Fri 14 Oct 2005 14:50:37 CEST

Script started on Fri 14 Oct 2005 14:52:12 CEST
chris@chrislap:~/src/elmo/elmo-1.3.0/src$ gdb ./elmo
GNU gdb 6.3-debian

(gdb) run
Starting program: /home/chris/src/elmo/elmo-1.3.0/src/elmo

Program received signal SIGSEGV, Segmentation fault.
0x080543e1 in htable_insert (table=0x1, key=0x808b40e "addressbook",
    content=0xbf92aa18) at hash.c:106
106 int shift = 8 * sizeof (unsigned) - exponent;
(gdb) where
#0 0x080543e1 in htable_insert (table=0x1, key=0x808b40e "addressbook",
    content=0xbf92aa18) at hash.c:106
#1 0x0807d91f in confhold_register (name=0x808b40e "addressbook",
    fieldcount=0) at confhold.c:231
#2 0x0804afe1 in main (argc=1, argv=0xbf92aae4) at elmo.c:199
(gdb)

Script done on Fri 14 Oct 2005 14:53:17 CEST

OK, refetched the source.

First I show a watchpoint on the corrupted variable - a pointer gets set to 1.

Then I show the crash.  The pointer to address 1 gets dereferenced:

Script started on Fri 14 Oct 2005 14:50:08 CEST
chris@chrislap:~/src/elmo/elmo-1.3.0/src$ gdb ./elmo
GNU gdb 6.3-debian

(gdb) watch variable_table
Hardware watchpoint 1: variable_table
(gdb) run
Starting program: /home/chris/src/elmo/elmo-1.3.0/src/elmo 
Hardware watchpoint 1: variable_table

Old value = (htable_t *) 0x0
New value = (htable_t *) 0x80b5ec0
confhold_init () at confhold.c:171
171	        values_table   = htable_create (6);
(gdb) c
Continuing.
Hardware watchpoint 1: variable_table

Old value = (htable_t *) 0x80b5ec0
New value = (htable_t *) 0x1
confhold_close (cd=-16) at confhold.c:273
273	}
(gdb) print variable_table
$1 = (htable_t *) 0x1
(gdb) where
#0  confhold_close (cd=-16) at confhold.c:273
#1  0x0807991c in ask_select_default (name=0x8085bd4 "win_echo") at ask.c:146
#2  0x0804e173 in interface_init () at cmd.inc:57
#3  0x0804e4ba in cmd_init () at cmd.c:457
#4  0x0804afc9 in main (argc=1, argv=0xbfc911a4) at elmo.c:276
(gdb) quit
The program is running.  Exit anyway? (y or n) y
chris@chrislap:~/src/elmo/elmo-1.3.0/src$ 
Script done on Fri 14 Oct 2005 14:50:37 CEST

Script started on Fri 14 Oct 2005 14:52:12 CEST
chris@chrislap:~/src/elmo/elmo-1.3.0/src$ gdb ./elmo
GNU gdb 6.3-debian

(gdb) run
Starting program: /home/chris/src/elmo/elmo-1.3.0/src/elmo

Program received signal SIGSEGV, Segmentation fault.
0x080543e1 in htable_insert (table=0x1, key=0x808b40e "addressbook", 
    content=0xbf92aa18) at hash.c:106
106	  int      shift = 8 * sizeof (unsigned) - exponent;
(gdb) where
#0  0x080543e1 in htable_insert (table=0x1, key=0x808b40e "addressbook", 
    content=0xbf92aa18) at hash.c:106
#1  0x0807d91f in confhold_register (name=0x808b40e "addressbook", 
    fieldcount=0) at confhold.c:231
#2  0x0804afe1 in main (argc=1, argv=0xbf92aae4) at elmo.c:199
(gdb)

Script done on Fri 14 Oct 2005 14:53:17 CEST

Revision history for this message

Kristian Vlaardingerbroek (kristianv) wrote on 2005-10-18:

A rebuild doesn't fix the issue on my side, updated breezy from 2005-10-18 18:10 GMT. I get a similar back trace as the reporter. This looks like a bug in the software that should be reported upstream, although according to the project page this project is officially declared dead.

Revision history for this message

Yann Rouillard (yann-pleiades) wrote on 2006-01-21: debdiff to solve several segfault, vulnerability and ftbfs

debdiff to solve several segfault, vulnerability and ftbfs Edit (2.5 KiB, text/plain)

The patch from chris moore definitely solve the segfault problem. I made a debdiff from the previous ubuntu package.

Meanwhile I ran into a ftbfs bug, already reported on debian ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321057 ) and noticed a security problem was reported ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318291 ).

I applied both fix given in the debian bugs pages.

Changed in elmo:
assignee:	motu → motureviewers
status:	Unconfirmed → Fix Committed

Revision history for this message

Reinhard Tartler (siretart) wrote on 2006-01-22:

the new package has built on all architectures:
http://people.ubuntu.com/~lamont/buildLogs/e/elmo/1.3.0-1ubuntu1/

Changed in elmo:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

debdiff to solve several segfault, vulnerability and ftbfs Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuelmo package

elmo crashes on startup

Bug Description

Other bug subscribers

Patches

Remote bug watches

Ubuntu
elmo package