Control: severity -1 important
Hi and thanks for the report!
On 11:00 Sat 05 Jan , Dominik Röttsches wrote:
> Package: dovecot-mysql
> Version: 1:2.3.4-2
> Severity: grave
> Tags: security
> Justification: user security hole
Downgrading severity to important; although this is a double-free memory
corruption, I would not describe it as a grave security issue based on
the information available. Furthermore, it being triggered from deinit,
I expect the auth system to otherwise work normally.
>
> Dear Maintainer,
>
> while running dovecot with the mysql auth package, I frequently get auth
> segfaults in the kernel log such as:
>
> [51013.656961] auth[17706]: segfault at 60 ip 00007f003b360a7b sp
> 00007ffe800d7f30 error 4 in libmariadb.so.3[7f003b354000+26000]
> [51013.658978] Code: 85 ff 0f 84 27 01 00 00 55 48 89 e5 41 54 53 48 8b 87 f0
> 04 00 00 48 89 fb 48 85 c0 74 2d 4c 8b 20 4d 85 e4 74 25 49 8b 04 24 <48> 8b
> 40 60 48 85 c0 74 02 ff d0 4c 89 e7 e8 92 3c ff ff 48 8b 83
>
> I attached gdb to the auth process, but I was unable to get debug symbols for
> libmariadbclient.so.18. Anyway, I get these stacktraces for the crash - which
> seems to be a crash on disconnect / mysql_close().
>
> #1 0x00007f59d8d08535 in __GI_abort () at abort.c:79
> #2 0x00007f59d8d5f718 in __libc_message (action=action@entry=do_abort,
> fmt=fmt@entry=0x7f59d8e6a29a "%s\n")
> at ../sysdeps/posix/libc_fatal.c:181
> #3 0x00007f59d8d65e3a in malloc_printerr (str=str@entry=0x7f59d8e6bf60
> "free(): double free detected in tcache 2") at malloc.c:5382
> #4 0x00007f59d8d6791d in _int_free (av=0x7f59d8ea1c40 <main_arena>,
> p=0x564222bd44e0, have_lock=<optimized out>) at malloc.c:4193
> #5 0x00007f59d8c1ea8e in mysql_close () from
> target:/usr/lib/x86_64-linux-gnu/libmariadbclient.so.18
> #6 0x00007f59d91801fe in ?? () from
> target:/usr/lib/dovecot/modules/auth/libdriver_mysql.so
> #7 0x0000564220be2a14 in ?? ()
> #8 0x0000564220bd88f1 in db_sql_unref ()
> #9 0x0000564220bcd92e in passdb_deinit ()
> #10 0x0000564220bb7099 in auths_deinit ()
> #11 0x0000564220bb5e0c in main ()
>
> I would expect not to have such crashes during the operation of the auth
> module.
>
> My sql auth configuration is as follows:
>
> driver = mysql
> connect = host=127.0.0.1 dbname=maildb user=mail password=<removed>
> default_pass_scheme = CRYPT
> password_query = SELECT email AS user, newcrypt AS password FROM passwd WHERE
> email = '%u'
> iterate_query = SELECT email AS user FROM passwd
>
> The table schema for the passwd table is:
>
> DESCRIBE passwd
>
> email char(128) NO PRI
> newcrypt char(128) NO
> name char(128) NO
> uid int(10) unsigned NO 8
> gid int(10) unsigned NO 8
> home char(255) NO
> maildir char(255) NO
> quota char(255) NO
>
> -- Package-specific info:
>
> dovecot configuration
> ---------------------
> # 2.3.4 (0ecbaf23d): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.4 ()
> # OS: Linux 4.19.0-1-amd64 x86_64 Debian buster/sid ext4
> # Hostname: mail.drwebdesign.de
> protocol lmtp {
> mail_plugins = fts fts_solr sieve
> }
> protocol imap {
> mail_max_userip_connections = 100
> }
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
> to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to
> en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages dovecot-mysql depends on:
> ii dovecot-core 1:2.3.4-2
> ii libc6 2.28-3
> ii libmariadbclient18 [libmariadbclient18] 1:10.3.11-3
^^^^
This issue appears to manifest only with libmariadbclient18 10.3.x, and
not with 10.1.x from testing. I suspect the culprit to be
libmariadbclient18, but will need to investigate further.
Regards,
Apollon
