dovecot - Feb 2010 - segfault - (imap|pop3)-login during nessus scan

We've been struggling with a problem for the past couple of days which to
this point I've only gotten to be able to boil down to this:

1. Install nessus home edition (less pluggins I assume)
2. run all scans (sequentially or in parallel, doesn't seem to matter)
3. about 3 minutes in /var/log/messages will show segfaults on imap and/or pop3

imap-login[22185]: segfault at 000000000000000c rip 0000003c7de610a2 rsp
00007fffa2342068 error 4
or sometimes...
pop3-login[24451]: segfault at 000000000000000c rip 0000003c7de610a2 rsp
00007fff07116968 error 4

I'm having a really hard time getting a core dump and I'm having a
really hard time narrowing down the list of nessus tests which cause this. So
far, I have repeated this failure in 1.1.19 and 1.1.20

Additionally we've seen something similar on 1.2 and reverted back to 1.1 a
year ago. At the time we could not re-produce a test case and finally gave up.

Has anyone seen something along these lines? 

Can anyone recommend how I could narrow this down further so we can find the
problem?

Thanks,
Todd

On Fri, 2010-02-19 at 15:28 -0600, Todd Rinaldo wrote:
> pop3-login[24451]: segfault at 000000000000000c rip 0000003c7de610a2 rsp
00007fff07116968 error 4
> 
> I'm having a really hard time getting a core dump
Yeah, it's difficult to get login processes to core dump. In v1.2 it's
easier though. But there's an alternative way to get the backtrace:

First set login_process_per_connection=no. Then:

gdb -p `pidof imap-login`
cont
<wait for crash>
bt full

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20100220/75865989/attachment-0002.bin>

On Feb 19, 2010, at 9:23 PM, Timo Sirainen wrote:
> On Fri, 2010-02-19 at 15:28 -0600, Todd Rinaldo wrote:
>> pop3-login[24451]: segfault at 000000000000000c rip 0000003c7de610a2
rsp 00007fff07116968 error 4
>> 
>> I'm having a really hard time getting a core dump
> 
> Yeah, it's difficult to get login processes to core dump. In v1.2
it's
> easier though. But there's an alternative way to get the backtrace:
> 
> First set login_process_per_connection=no. Then:
> 
> gdb -p `pidof imap-login`
> cont
> <wait for crash>
> bt full
Tim, Thanks for the feedback. In the other email you sent about re-producing
with nessus, note that we're using the checkpassword system, however from
strace info so far we think the error happens before any fork happens to the
custon auth program.

Your suggestion for trapping with gdb worked for me! Though I had to do this in
gdb first cause I kept getting sigpipe breaks:
handle SIGPIPE nostop noprint pass

This is my stack trace without debug symbols. How much would symbols help you
here?

Program received signal SIGSEGV, Segmentation fault.
0x0000003c7de610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
(gdb) bt full
#0  0x0000003c7de610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
No symbol table info available.
#1  0x0000003c7de48ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
No symbol table info available.
#2  0x0000003c7fe3871e in kssl_keytab_is_available () from /lib64/libssl.so.6
No symbol table info available.
#3  0x0000003c7fe1e345 in ssl3_choose_cipher () from /lib64/libssl.so.6
No symbol table info available.
#4  0x0000003c7fe19aeb in ssl3_get_client_hello () from /lib64/libssl.so.6
No symbol table info available.
#5  0x0000003c7fe1a465 in ssl3_accept () from /lib64/libssl.so.6
No symbol table info available.
#6  0x0000003c7fe22602 in ssl23_get_client_hello () from /lib64/libssl.so.6
No symbol table info available.
#7  0x0000003c7fe22d99 in ssl23_accept () from /lib64/libssl.so.6
No symbol table info available.
#8  0x00000000004093f9 in ssl_step ()
No symbol table info available.
#9  0x00000000004095e4 in ssl_proxy_new ()
No symbol table info available.
#10 0x00000000004073b7 in login_accept_ssl ()
No symbol table info available.
#11 0x0000000000411dc8 in io_loop_handler_run ()
No symbol table info available.
#12 0x0000000000410edd in io_loop_run ()
No symbol table info available.
#13 0x000000000040706e in main ()
No symbol table info available.