Project

General

Profile

Bug #6321

Crash on Fedora 39

Added by Chuck Bonesteel 12 months ago. Updated 12 months ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
Crashes
Target version:
-
Start date:
2024-01-10
Due date:
% Done:

0%

Estimated time:
Found in version:
4.3^20230408gitf32c7c5-3.fc39
Affected Versions:

Description

Crash log attached.

Fedora 39 home PVR server. Freshly built today.

Last line of the attached log:

Jan 10 20:40:21 server.host abrt-notification[12400]: Process 2951 (tvheadend) crashed in pvr_generate_filename()

Files

crash.txt (68.6 KB) crash.txt Chuck Bonesteel, 2024-01-10 10:47

History

#1

Updated by Chuck Bonesteel 12 months ago

For repro - nothing specific. Tvheadend was running for 7.5 hours and then crashed.

#2

Updated by Chuck Bonesteel 12 months ago

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f77d7e4498f in __GI_abort () at abort.c:100
#4  0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24
#6  0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29
#8  0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54
#9  pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091
#10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314
#11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566
#12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808
#13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91
#14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444
#15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
(gdb)
#3

Updated by Chuck Bonesteel 12 months ago

(gdb) f 9
#9  pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091
1091        snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename);
(gdb) p de->de_config
$1 = (dvr_config_t *) 0x55c5517a73d0
(gdb) p de->de_config->dvr_storage
$2 = 0x55c55178d1a0 "/mnt/stor/tvheadend" 
(gdb) p path
$3 = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times>
(gdb) p l
$4 = 20
(gdb) p j
$5 = <optimized out>
(gdb) p filename
$6 = "Australian Story$n.$x", '\000' <repeats 4074 times>
(gdb)
#4

Updated by saen acro 12 months ago

Is this a mounted storage, and how is mounted?

#5

Updated by Chuck Bonesteel 12 months ago

(sorry for spam - I'm new to this)

(gdb) bt full
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>
        old_mask = {__val = {0}}
        ret = <optimized out>
#1  0x00007f77d7eae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
No locals.
#2  0x00007f77d7e5c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007f77d7e4498f in __GI_abort () at abort.c:100
        act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {18446744073709551615, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x0}
#4  0x00007f77d7e457d0 in __libc_message (fmt=fmt@entry=0x7f77d7fc2309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
        ap = {{gp_offset = 16, fp_offset = 32631, overflow_arg_area = 0x7f77baa5c940, reg_save_area = 0x7f77baa5c8d0}}
        fd = 2
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
#5  0x00007f77d7f41d19 in __GI___fortify_fail (msg=msg@entry=0x7f77d7fc22f0 "buffer overflow detected") at fortify_fail.c:24
No locals.
#6  0x00007f77d7f416d4 in __GI___chk_fail () at chk_fail.c:28
No locals.
#7  0x00007f77d7f42eb5 in ___snprintf_chk (s=s@entry=0x7f77baa5fbb4 "", maxlen=maxlen@entry=4093, flag=flag@entry=2, slen=slen@entry=4061, format=format@entry=0x55c5504315e4 "/%s") at snprintf_chk.c:29
        mode = <optimized out>
        ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f77baa5ca40, reg_save_area = 0x7f77baa5c980}}
        ret = <optimized out>
#8  0x000055c5502a1c6a in snprintf (__fmt=0x55c5504315e4 "/%s", __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54
No locals.
#9  pvr_generate_filename (de=de@entry=0x55c5519ac200, ss=ss@entry=0x55c55229cc00) at src/dvr/dvr_rec.c:1091
        filename = "Australian Story$n.$x", '\000' <repeats 4074 times>
        path = "/mnt/stor/tvheadend/Australian Story\000n.$x", '\000' <repeats 4055 times>
        ptmp = "Australian Story", '\000' <repeats 4079 times>
        number = '\000' <repeats 15 times>
        tmp = "Australian Story", '\000' <repeats 4079 times>
        lastpath = 0x0
        tally = 0
        st = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 0}, __glibc_reserved = {0, 0, 0}}
        s = <optimized out>
        x = <optimized out>
        fmtstr = <optimized out>
        dirsep = <optimized out>
        tm = {tm_sec = 0, tm_min = 30, tm_hour = 20, tm_mday = 10, tm_mon = 0, tm_year = 124, tm_wday = 3, tm_yday = 9, tm_isdst = 1, tm_gmtoff = 39600, tm_zone = 0x55c5516e95f0 "AEDT"}
        cfg = 0x55c5517a73d0
        m = <optimized out>
        l = 20
        j = <optimized out>
        k = <optimized out>
        max = <optimized out>
        dir_dosubs = 0
        __PRETTY_FUNCTION__ = "pvr_generate_filename" 
#10 0x000055c5502a4e2c in dvr_rec_start (ss=0x55c55229cc00, de=<optimized out>) at src/dvr/dvr_rec.c:1314
        e = <optimized out>
        muxer = <optimized out>
        i = <optimized out>
        asp = "\232Q\305U\000\0000\r\246\272w\177\000" 
        ch = "\177\000\000F\251)P" 
        f = <optimized out>
        st = {st_dev = 2431, st_ino = 95158273, st_nlink = 21, st_mode = 16877, st_uid = 985, st_gid = 39, __pad0 = 0, st_rdev = 0, st_size = 28672, st_blksize = 4096, st_blocks = 64, st_atim = {tv_sec = 1704852464, tv_nsec = 929534359}, st_mtim = {tv_sec = 1704550207, tv_nsec = 647315986}, st_ctim = {
            tv_sec = 1704852447, tv_nsec = 946314019}, __glibc_reserved = {0, 0, 0}}
        si = 0x55c55229cc08
        ssc = <optimized out>
        info = <optimized out>
        ss_copy = <optimized out>
        res = "\305U\000\00068543196", <incomplete sequence \302>
        sr = "\0000\r\246\272w" 
        cfg = 0x55c5517a73d0
        prch = 0x55c5517a2c40
        si = <optimized out>
        ss_copy = <optimized out>
        ssc = <optimized out>
        res = <optimized out>
        asp = <optimized out>
        sr = <optimized out>
        ch = <optimized out>
        cfg = <optimized out>
        prch = <optimized out>
        info = <optimized out>
        e = <optimized out>
        f = <optimized out>
        muxer = <optimized out>
        st = <optimized out>
        i = <optimized out>
        _err = <optimized out>
#11 dvr_thread_rec_start (_de=_de@entry=0x7f77baa60e00, ss=ss@entry=0x55c55229cc00, run=run@entry=0x7f77baa60df8, started=started@entry=0x7f77baa60dfc, dts_offset=dts_offset@entry=0x7f77baa60e08, postproc=postproc@entry=0x0) at src/dvr/dvr_rec.c:1566
        code = <optimized out>
        de = <optimized out>
        prch = <optimized out>
        ret = 0
#12 0x000055c5502a5dd8 in dvr_thread (aux=<optimized out>) at src/dvr/dvr_rec.c:1808
        de = 0x55c5519ac200
        prch = <optimized out>
        sq = <optimized out>
        backlog = {tqh_first = 0x0, tqh_last = 0x7f77baa60e10}
        sm = <optimized out>
        sm2 = <optimized out>
        pkt = <optimized out>
        pkt2 = <optimized out>
        pkt3 = <optimized out>
        ss = <optimized out>
        run = 1
        started = 0
        muxing = <optimized out>
        comm_skip = <optimized out>
        rs = 5
        epg_running = <optimized out>
        old_epg_running = <optimized out>
        epg_pause = <optimized out>
        commercial = <optimized out>
        running_disabled = <optimized out>
        packets = <optimized out>
        dts_offset = -9223372036854775808
        now = <optimized out>
        real_start = <optimized out>
        start_time = <optimized out>
        running_start = <optimized out>
        running_stop = <optimized out>
        postproc = <optimized out>
        ubuf = '\377' <repeats 33 times>
#13 0x000055c5502069f8 in thread_wrapper (p=0x55c552296c80) at src/tvh_thread.c:91
        ts = <optimized out>
        set = {__val = {16388, 0, 0, 0, 0, 18446744073709550232, 0, 140152433411184, 140152209280784, 140152700392414, 0, 140152433411200, 140152209286848, 140152433411200, 140152433411840, 140152433411840}}
        r = <optimized out>
#14 0x00007f77d7eac897 in start_thread (arg=<optimized out>) at pthread_create.c:444
        ret = <optimized out>
        pd = <optimized out>
        out = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140152700323232, -2340501643117535906, 140152209286848, -1384, 2, 140722946798512, -2340501643138507426, -2340740690510815906}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#15 0x00007f77d7f336fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
No locals.
(gdb)
#6

Updated by saen acro 12 months ago

Who build that package it's modified somehow.

#7

Updated by Chuck Bonesteel 12 months ago

saen acro wrote:

Is this a mounted storage, and how is mounted?

Yes:

/dev/md127 on /mnt/stor type ext4 (rw,relatime,seclabel)
#8

Updated by Chuck Bonesteel 12 months ago

saen acro wrote:

Who build that package it's modified somehow.

This is my command:

gdb /usr/bin/tvheadend ~/coredump
[user@server tvheadend]$ rpm --verify tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64
[user@server tvheadend]$ echo $?
0
[user@server tvheadend]$ rpm -qf /usr/bin/tvheadend
tvheadend-4.3^20230408gitf32c7c5-3.fc39.x86_64
[user@server tvheadend]$

Maybe I messed something up. I am jumping around a bit to understand the stack trace... :(

#9

Updated by saen acro 12 months ago

add some extra

-o noacl

or in fstab
/dev/md127    /mnt/stor    ext4    rw,user,exec,umask=000 0 0
#10

Updated by Chuck Bonesteel 12 months ago

saen acro wrote:

add some extra

[...]
or in fstab
[...]

ACLs are root cause? I used same mounted storage for ~2 years with tvheadend + Fedora 37 zero issues. No problem for me to change mount flags I just like to understand reasoning.

#11

Updated by Flole Systems 12 months ago

ACLs as a source of a buffer overflow in some string function? Seriously? Sometimes it's better to leave a question/bug report unanswered instead of causing confusion....

#12

Updated by Chuck Bonesteel 12 months ago

Looks like this is already fixed/known:

https://tvheadend.org/issues/6272
https://github.com/tvheadend/tvheadend/commit/003fd92707531bdf7ad1753ab028db8748ac5ab8

Fedora 39 build is based on f32c7c59a, which doesn't contain the fix?

snprintf(path + l + j, sizeof(path) - l + j, "/%s", filename);
#14

Updated by Flole Systems 12 months ago

  • Status changed from New to Invalid

Also available in: Atom PDF