[Rspamd-Users] Segfault with using lua mempool bucket

Steve Sturges (ststurge) ststurge at cisco.com
Fri Apr 30 19:40:48 UTC 2021 

Hi—

I’ve run into an issue when trying to store the length of filenames attached to an email for later use by rules… Getting a segfault when storing those lengths in a lua table/mempool.  This was seen with rspamd 2.6, but the code in 2.7 is the same.

Below is the relevant parts of the stack trace and the change I made to address it in the attached patch.  In all of the other cases where I’ve seen combinations of lua_createtable, and then lua_pushnumber followed by lua_rawseti inside a loop, the index specified is -2 — both in rspamd and elsewhere, but this specific one used -1.

Cheers
-steve
----------------------

#0  0x00007ffff6b23ce7 in lua_rawseti () from /lib64/libluajit-5.1.so.2
#1  0x00007ffff7b909e5 in lua_mempool_get_variable (L=0x40000378) at /home/rspamdbuilder/rspamd-2.6/src/lua/lua_mempool.c:483
#2  0x00007ffff6ad6d5a in lj_BC_FUNCC () from /lib64/libluajit-5.1.so.2
#3  0x00007ffff6b25210 in lua_pcall () from /lib64/libluajit-5.1.so.2
#4  0x00007ffff7b81033 in lua_metric_symbol_callback (task=0x3cd7500, item=<optimized out>, ud=0x7fffeda978d8)
    at /home/rspamdbuilder/rspamd-2.6/src/lua/lua_config.c:1222
#5  0x00007ffff7b135c0 in rspamd_symcache_check_symbol (task=task at entry=0x3cd7500, cache=cache at entry=0x465030, item=item at entry=0x612ed8,
    checkpoint=checkpoint at entry=0x3e1f4b0) at /home/rspamdbuilder/rspamd-2.6/src/libserver/rspamd_symcache.c:1784
#6  0x00007ffff7b13e82 in rspamd_symcache_process_symbols (task=task at entry=0x3cd7500, cache=0x465030, stage=stage at entry=32)
    at /home/rspamdbuilder/rspamd-2.6/src/libserver/rspamd_symcache.c:2143
#7  0x00007ffff7b1ad5d in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:732
#8  0x00007ffff7b1b0e2 in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#9  0x00007ffff7b1b0e2 in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#10 0x00007ffff7b1b0e2 in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#11 0x00007ffff7b1b0e2 in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#12 0x00007ffff7b1b0e2 in rspamd_task_process (task=0x3cd7500, stages=131071) at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#13 0x00007ffff7b1b0e2 in rspamd_task_process (task=task at entry=0x3cd7500, stages=stages at entry=131071)
    at /home/rspamdbuilder/rspamd-2.6/src/libserver/task.c:868
#14 0x000000000040d175 in rspamd_controller_handle_scan (conn_ent=conn_ent at entry=0x3c6e9e0, msg=msg at entry=0x3d10420)
    at /home/rspamdbuilder/rspamd-2.6/src/controller.c:2116
#15 0x00007ffff7b32acb in rspamd_http_router_finish_handler (conn=<optimized out>, msg=0x3d10420)
    at /home/rspamdbuilder/rspamd-2.6/src/libserver/http/http_router.c:334
#16 0x00007ffff7b30876 in rspamd_http_on_message_complete (parser=<optimized out>)
    at /home/rspamdbuilder/rspamd-2.6/src/libserver/http/http_connection.c:697
……
[additional 12 stack frames omitted — not immediately relevant]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: rspamdpatch_lua_mempool.c.diff
Type: application/octet-stream
Size: 369 bytes
Desc: rspamdpatch_lua_mempool.c.diff
URL: <https://lists.rspamd.com/pipermail/users/attachments/20210430/40764f26/attachment.obj>

More information about the Users mailing list