[SEGFAULT] Segfault on confirm server key change (silc client 1.1.4)

Skywing Skywing at valhallalegends.com
Wed Mar 26 22:09:43 CET 2008 

Hi,

When using the 1.1.4 silc client compiled as an irssi plugin, I observed the following segfault when denying a server key change at the confirmation prompt.  At the time irssi had an active irc connection, as well as the silc connection which was waiting at the prompt.

Program terminated with signal 11, Segmentation fault.
#0  silc_schedule_task_del_by_all (schedule=0x736e6f697463656e, fd=0, callback=0x2b5828059d50 <silc_fsm_run>, context=0x6900c8) at silcschedule.c:892
892       SILC_SCHEDULE_LOCK(schedule);
(gdb) bt
#0  silc_schedule_task_del_by_all (schedule=0x736e6f697463656e, fd=0, callback=0x2b5828059d50 <silc_fsm_run>, context=0x6900c8) at silcschedule.c:892
#1  0x00002b58280599b0 in silc_fsm_continue (fsm=<value optimized out>) at silcfsm.c:288
#2  0x00002b58280ca1d7 in silc_client_ke_verify_key_cb (success=<value optimized out>, context=0x66f0c0) at client_connect.c:103
#3  0x00002b5828037521 in verify_public_key_completion (line=<value optimized out>, context=<value optimized out>) at client_ops.c:2384
#4  0x0000000000416b22 in key_send_line () at gui-readline.c:118
#5  0x0000000000486223 in signal_emit_real (rec=0x62b190, params=<value optimized out>, va=<value optimized out>, first_hook=<value optimized out>)
    at signals.c:242
#6  0x00000000004868bc in signal_emit (signal=<value optimized out>, params=3) at signals.c:286
#7  0x00000000004481b9 in sig_multi (data=<value optimized out>, gui_data=0x0) at keyboard.c:637
#8  0x0000000000486223 in signal_emit_real (rec=0x5faef0, params=<value optimized out>, va=<value optimized out>, first_hook=<value optimized out>)
    at signals.c:242
#9  0x00000000004868bc in signal_emit (signal=<value optimized out>, params=3) at signals.c:286
#10 0x00000000004480ca in key_pressed (keyboard=0x6252c0, key=<value optimized out>) at keyboard.c:536
#11 0x00000000004187f4 in sig_gui_key_pressed (keyp=0xa) at gui-readline.c:515
#12 0x0000000000486223 in signal_emit_real (rec=0x633210, params=<value optimized out>, va=<value optimized out>, first_hook=<value optimized out>)
    at signals.c:242
#13 0x00000000004868bc in signal_emit (signal=<value optimized out>, params=1) at signals.c:286
#14 0x0000000000417ecc in sig_input () at gui-readline.c:746
#15 0x0000000000479a41 in irssi_io_invoke (source=0xffffffff, condition=<value optimized out>, data=<value optimized out>) at misc.c:56
#16 0x00002b582739f913 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0x00002b58273a275d in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#18 0x00002b58273a2c7e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#19 0x0000000000426ddd in main (argc=<value optimized out>, argv=0x0) at irssi.c:397
(gdb)

(gdb) inf reg
rax            0xe0     224
rbx            0x6900c8 6881480
rcx            0x6900c8 6881480
rdx            0x2b5828059d50   47657628573008
rsi            0x0      0
rdi            0x736e6f697463656e       8317708060514805102
rbp            0x736e6f697463656e       0x736e6f697463656e
rsp            0x7fff83a54160   0x7fff83a54160
r8             0xffffffff       4294967295
r9             0x1      1
r10            0x0      0
r11            0x2b58276d1c90   47657618578576
r12            0x6540d0 6635728
r13            0x6579c0 6650304
r14            0x5fefb0 6287280
r15            0x2b5828059d50   47657628573008
rip            0x2b58280581eb   0x2b58280581eb <silc_schedule_task_del_by_all+107>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb)
gdb) x/1i $pc
0x2b58280581eb <silc_schedule_task_del_by_all+107>:     mov    0x88(%rdi),%rdi
(gdb)

It should be noted that a couple of registers had been overwritten by ascii text (bad...):

0:001> .formats 0x736e6f697463656e
Evaluate expression:
  Hex:     736e6f69`7463656e
  Decimal: 8317708060514805102
  Octal:   0715563366456430662556
  Binary:  01110011 01101110 01101111 01101001 01110100 01100011 01100101 01101110
  Chars:   snoitcen
  Time:    Wed Oct  8 18:07:31.480 27958 (GMT-4)
  Float:   low 7.20647e+031 high 1.88908e+031
  Double:  1.064e+248

(rdi, rbp, rdi was dereferenced in this case.)

Let me know if there's any other information that might help.  That was the only thread showing in `inf thread' in gdb.  Definite badness with the apparent overwriting of pointers that are being dereferenced as text (somewhere) though...

- S

More information about the silc-devel mailing list