Control: severity -1 important Hi and thanks for the report!
On 11:00 Sat 05 Jan , Dominik Röttsches wrote: > Package: dovecot-mysql > Version: 1:2.3.4-2 > Severity: grave > Tags: security > Justification: user security hole Downgrading severity to important; although this is a double-free memory corruption, I would not describe it as a grave security issue based on the information available. Furthermore, it being triggered from deinit, I expect the auth system to otherwise work normally. > > Dear Maintainer, > > while running dovecot with the mysql auth package, I frequently get auth > segfaults in the kernel log such as: > > [51013.656961] auth[17706]: segfault at 60 ip 00007f003b360a7b sp > 00007ffe800d7f30 error 4 in libmariadb.so.3[7f003b354000+26000] > [51013.658978] Code: 85 ff 0f 84 27 01 00 00 55 48 89 e5 41 54 53 48 8b 87 f0 > 04 00 00 48 89 fb 48 85 c0 74 2d 4c 8b 20 4d 85 e4 74 25 49 8b 04 24 <48> 8b > 40 60 48 85 c0 74 02 ff d0 4c 89 e7 e8 92 3c ff ff 48 8b 83 > > I attached gdb to the auth process, but I was unable to get debug symbols for > libmariadbclient.so.18. Anyway, I get these stacktraces for the crash - which > seems to be a crash on disconnect / mysql_close(). > > #1 0x00007f59d8d08535 in __GI_abort () at abort.c:79 > #2 0x00007f59d8d5f718 in __libc_message (action=action@entry=do_abort, > fmt=fmt@entry=0x7f59d8e6a29a "%s\n") > at ../sysdeps/posix/libc_fatal.c:181 > #3 0x00007f59d8d65e3a in malloc_printerr (str=str@entry=0x7f59d8e6bf60 > "free(): double free detected in tcache 2") at malloc.c:5382 > #4 0x00007f59d8d6791d in _int_free (av=0x7f59d8ea1c40 <main_arena>, > p=0x564222bd44e0, have_lock=<optimized out>) at malloc.c:4193 > #5 0x00007f59d8c1ea8e in mysql_close () from > target:/usr/lib/x86_64-linux-gnu/libmariadbclient.so.18 > #6 0x00007f59d91801fe in ?? () from > target:/usr/lib/dovecot/modules/auth/libdriver_mysql.so > #7 0x0000564220be2a14 in ?? () > #8 0x0000564220bd88f1 in db_sql_unref () > #9 0x0000564220bcd92e in passdb_deinit () > #10 0x0000564220bb7099 in auths_deinit () > #11 0x0000564220bb5e0c in main () > > I would expect not to have such crashes during the operation of the auth > module. > > My sql auth configuration is as follows: > > driver = mysql > connect = host=127.0.0.1 dbname=maildb user=mail password=<removed> > default_pass_scheme = CRYPT > password_query = SELECT email AS user, newcrypt AS password FROM passwd WHERE > email = '%u' > iterate_query = SELECT email AS user FROM passwd > > The table schema for the passwd table is: > > DESCRIBE passwd > > email char(128) NO PRI > newcrypt char(128) NO > name char(128) NO > uid int(10) unsigned NO 8 > gid int(10) unsigned NO 8 > home char(255) NO > maildir char(255) NO > quota char(255) NO > > -- Package-specific info: > > dovecot configuration > --------------------- > # 2.3.4 (0ecbaf23d): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.4 () > # OS: Linux 4.19.0-1-amd64 x86_64 Debian buster/sid ext4 > # Hostname: mail.drwebdesign.de > protocol lmtp { > mail_plugins = fts fts_solr sieve > } > protocol imap { > mail_max_userip_connections = 100 > } > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set > to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to > en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages dovecot-mysql depends on: > ii dovecot-core 1:2.3.4-2 > ii libc6 2.28-3 > ii libmariadbclient18 [libmariadbclient18] 1:10.3.11-3 ^^^^ This issue appears to manifest only with libmariadbclient18 10.3.x, and not with 10.1.x from testing. I suspect the culprit to be libmariadbclient18, but will need to investigate further. Regards, Apollon