Lotus Developer Domain: Notes/Domino Fix List

Notes/Domino Fix List

SPR # LVAE6G7EP8

Fixed in 7.0.1; 6.5.5 FP1; 6.5.6 release

Security fix

Product Area: Server

Technical Area: Web Server

Platform: Cross Platform

Lotus Customer Support APAR: PK11717

SPR# LVAE6G7EP8 - Panic occurs in Cmovmem when passed an invalid address from NCDfield::RestorePos.

Technote Number: 1217453

Problem:
This issue was reported to Quality Engineering as SPR# LVAE6G7EP8 and has been
fixed in Domino 7.0.1, Domino 6.5.5 Fix Pack 1 (FP1) and Domino 6.5.6. Refer
to the Upgrade Central site for details on upgrading Notes/Domino.

Excerpt from the Lotus Domino fix list (available at
http://www.ibm.com/developerworks/lotus):
Web Server
SPR# LVAE6G7EP8 - Panic occurs in Cmovmem when passed an invalid address from
NCDfield::RestorePos.

Bad data is not being detected and handled.

Callstacks are as follows

Crash #1
PROCESSING TCB= 8C1E88 - TCB is active. OMVS TID= 17FB083000000031
CPU TIME = 00000001B45A67A0 secs= 1
DSA@=28328400 EP@=17276200 msgctl
DSA@=283284E0 EP@=17C58358 OS390_dump +35C
DSA@=28328720 EP@=17C662B0 fatal_error +392
DSA@=283289E0 EP@=172DCCB0 __zerro +A10
DSA@=28329520 EP@=172DCA70 __zerros +1E6
DSA@=283295A0 UPTODOWN transition block@=28329DF0
DSA@=2828E8F0 EP@=07D178F8 CEEVROND -7FFFFFA8
********** EXCEPTION DSA ************************
ZMCH BLOCK at address 2828B478 PSW= 078D0400 97D235A6
R0= 00000000 R1= 0AA7C1B5 R2= 2832AB14 R3= 00000002
R4= 28329660 R5= 1AA88F68 R6= 00000001 R7= 17D23A80
R8= 97D2355A R9= 2832AB14 R10= 0AA7C1B5 R11= 00000002
R12= 2828CBD8 R13= 28329FC8 R14= 2832AB14 R15= 1AA48B20
**** warning the next dsa was NOT active *******
**** the module name and offset are ***********
**** for the last called function. ***********
DSA@=2828DD70 EP@=07C1ED08 CEEHDSP +CD4
DSA@=2828DD70 DOWNTOUP transition block@=2828DDF0
DSA@=28329660 EP@=17D23550 Cmovmem +23E9866B
DSA@=283296E0 EP@=1900E878 ODSReadMemory +5A
DSA@=28329760 EP@=24CDF280 NCDiterator::nextrec(char*&,unsigned short&,unsigne
+13A
DSA@=283298E0 EP@=24CE0100 NCDfield::RestorePos(const char*) +14E
DSA@=283299E0 EP@=24E80210 CmdHandlerBase::HandleOpenElementCmd(OpenElementCmd
+780
DSA@=2832AE60 EP@=24B28560 CmdHandlerBase::PrivHandle(Cmd*,Cmd*) +15A
DSA@=2832AF20 EP@=24B1F390 CmdHandler::PrivHandle(Cmd*) +D6
DSA@=2832AFA0 EP@=24B1F5C8 CmdHandler::Handler(Cmd*,void*) +D8
DSA@=2832C940 EP@=24B04018 Cmd::Execute() +84
DSA@=2832C9E0 EP@=24C59298 InotesHTTPProcessRequestImpl(_InotesHTTPrequest*)
+A34
DSA@=2832E700 EP@=24C591C8 InotesHTTPProcessRequest +38
DSA@=2832EFE0 EP@=1B4F3210 HTInotesRequest::ProcessRequest() +D8
DSA@=2832F460 EP@=1B4DFAF0 HTRequestExtContainer::ProcessRequest(HTApplication
DSA@=2832F4E0 EP@=1B528A00 HTRequest::ProcessRequest() +A30
DSA@=2832FF00 EP@=1B53FBC0 HTSession::StartRequest() +430
DSA@=28330A00 EP@=1B573888 HTWorkerThread::CheckForWork() +252
DSA@=28331460 EP@=1B5734D0 HTWorkerThread::ThreadMain() +15E
DSA@=28331560 EP@=1B5636D0 HTThreadBeginProc +6A
DSA@=283315E0 EP@=17BC6890 ThreadWrapper +450
DSA@=28331680 EP@=17CBD450 threadEP +E8
DSA@=28331720 UPTODOWN transition block@=28331F70
DSA@=7E9A3E78 EP@=07D178F8 CEEVROND -7FFFFFA8
DSA@=2828D550 EP@=00010AB0 CEEOPCMM -7FFFF6EA
DSA@=7E9A27D0 EP@=00000000 zero pointer? +449491A
DSA@=7E9A2000 EP@=00010AB0 CEEOPCMM -80010AB0
33 dsa entries formatted. Method=6

Crash #2
############################################################
### FATAL THREAD 26/60 [ nHTTP:08fc:0948]
### FP=0x0bfbc5dc, PC=0x6000174b, SP=0x0bfbc5d0, stksize=12
### EAX=0x0bfbd13c, EBX=0x077d13f2, ECX=0x0bfbd13c, EDX=0x077d13f4
### ESI=0x00000002, EDI=0x077d13f2, CS=0x0000001b, SS=0x00000023
### DS=0x00000023, ES=0x00000023, FS=0x0000003b, GS=0x00000000 Flags=0x00010293
Exception code: c0000005 (ACCESS_VIOLATION)
############################################################
@[ 1] 0x6000174b nnotes._Cmovmem@12+267 (77d13f2,bfbd13c,2,bfbc7dc)
@[ 2] 0x600040ec nnotes._ODSReadMemory@16+60 (bfbc6c4,0,bfbd13c,1)
@[ 3] 0x004999b6 ninotes.NCDiterator::nextrec+166 (bfbc7dc,bfbc7f6,bfbc7e0,0)
@[ 4] 0x00499825 ninotes.NCDiterator::GetNextRec+37
(bfbc7dc,467d133c,bfbc7e0,65fe58)
@[ 5] 0x00499fe5 ninotes.NCDfield::RestorePos+181
(5901cf,428000f4,1578f78,7c59c354)
@[ 6] 0x004f362b ninotes.CmdHandlerBase::HandleOpenElementCmd+1323
(bfbd1e4,0,428000f4,1578f78)
@[ 7] 0x004400d8 ninotes.CmdHandlerBase::PrivHandle+248 (428000f4,0,0,1578f78)
@[ 8] 0x0043e12b ninotes.CmdHandler::PrivHandle+123
(428000f4,0,428000f4,4280a0f4)
@[ 9] 0x0043e24d ninotes.CmdHandler::Handler+221
(428000f4,1578f78,6003e040,bfbe504)
@[10] 0x0043849a ninotes.Cmd::Execute+58 (41bd9bc8,41bd98e4,0,66f404)
@[11] 0x0047f3c3 ninotes._InotesHTTPProcessRequest+1715
(41bd9bd8,41bd9bc8,41bd98e4,0)
@[12] 0x0047ed3f ninotes._InotesHTTPProcessRequest+47 (41bd9bd8,3,41bd9904,4)
@[13] 0x10014074 nhttpstack.HTInotesRequest::ProcessRequest+36
(41bd98e4,41bd9780,0,3)
@[14] 0x100101c1 nhttpstack.HTRequestExtContainer::ProcessRequest+545
(5,453163d0,423e8a4,0)
@[15] 0x1001cf9a nhttpstack.HTRequest::ProcessRequest+1722 (1,159c71e,0,423e8f8)
@[16] 0x10021616 nhttpstack.HTSession::StartRequest+790
(159c72a,159c71e,0,60092751)
@[17] 0x1002aa0d nhttpstack.HTWorkerThread::CheckForWork+285
(3,159c71e,10027ad0,10027afa)
@[18] 0x1002a897 nhttpstack.HTWorkerThread::ThreadMain+87 (159c71e,0,0,0)
@[19] 0x60116094 nnotes._ThreadWrapper@4+212 (0,0,0,0)
[20] 0x7c57b3bc KERNEL32.CreateProcessW+362
More >

Last Modified on 12/08/2013

Go back