Bug#915411: dovecot-core: doveadm crashes with segmentation fault ('batch -A : kick')
Control: tags -1 + upstream confirmed Control: forwarded -1 https://www.dovecot.org/pipermail/dovecot/2018-December/113819.html Hi, On 11:52 Fri 07 Dec , Bernhard Übelacker wrote: > I could reproduce this crash in a minimal stretch amd64 VM > with just dovecot-core installed and default configuration. > > That command crashes also in a similar VM with current > buster/testing version. Thanks to both of you for the information. I have forwarded this bug upstream, it looks like `batch` is set up to work primarily with "version 1" doveadm commands, converting "version 2" commands to 1 under the hood. Apparently `kick` is lacking an allocation function that would allow it to work as a "version 1" command, causing a null pointer dereference on the way there. Regards, Apollon
Bug#915411: dovecot-core: doveadm crashes with segmentation fault ('batch -A : kick')
Control: found -1 dovecot/1:2.3.4-2
Dear Maintainer,
I could reproduce this crash in a minimal stretch amd64 VM
with just dovecot-core installed and default configuration.
That command crashes also in a similar VM with current
buster/testing version.
Kind regards,
Bernhard
(gdb) bt
#0 0x in ?? ()
#1 0x55dfefbe3f1c in doveadm_mail_cmd_init (cmd=cmd@entry=0x7ffe8dfe1ab0,
set=0x55dff0e09178) at doveadm-mail.c:540
#2 0x55dfefbe561b in cmd_batch_add (argv=, argc=, batchctx=0x55dff0e19250) at doveadm-mail-batch.c:78
#3 cmd_batch_preinit (_ctx=0x55dff0e19250) at doveadm-mail-batch.c:126
#4 0x55dfefbe3b15 in doveadm_mail_cmd_exec (ctx=ctx@entry=0x55dff0e19250,
cctx=cctx@entry=0x7ffe8dfe1ba0, wildcard_user=wildcard_user@entry=0x0) at
doveadm-mail.c:575
#5 0x55dfefbe44ea in doveadm_mail_cmd (argv=, argc=4,
cmd=0x55dff0e17a10) at doveadm-mail.c:693
#6 doveadm_mail_try_run (cmd_name=, argc=,
argv=) at doveadm-mail.c:766
#7 0x55dfefbd3d6a in main (argc=, argv=) at
doveadm.c:381
(gdb) directory /home/benutzer/dovecot-core/orig/dovecot-2.2.27/src/doveadm
Source directories searched:
/home/benutzer/dovecot-core/orig/dovecot-2.2.27/src/doveadm:$cdir:$cwd
(gdb) up
#1 0x55dfefbe3f1c in doveadm_mail_cmd_init (cmd=cmd@entry=0x7ffe8dfe1ab0,
set=0x55dff0e09178) at doveadm-mail.c:540
540 ctx = cmd->alloc();
(gdb) print cmd
$1 = (const struct doveadm_mail_cmd *) 0x7ffe8dfe1ab0
(gdb) print *cmd
$2 = {alloc = 0x0, name = 0x55dfefc19130 "kick", usage_args = 0x55dfefc19af8
"[-a ] [|]"}
# stretch amd64 qemu VM
apt update
apt dist-upgrade
apt install mc devscripts dpkg-dev systemd-coredump gdb dovecot-core dovecot-dbg
mkdir dovecot-core/orig -p
cddovecot-core/orig
apt source dovecot-core
cd ../..
root@debian:~# doveadm batch -A : kick
Speicherzugriffsfehler (Speicherabzug geschrieben)
root@debian:~# coredumpctl list
TIMEPID UID GID SIG COREFILE EXE
Fri 2018-12-07 11:05:33 CET4030 0 0 11 present /usr/bin/doveadm
root@debian:~# coredumpctl gdb 4030
PID: 4030 (doveadm)
UID: 0 (root)
GID: 0 (root)
Signal: 11 (SEGV)
Timestamp: Fri 2018-12-07 11:05:33 CET (41s ago)
Command Line: doveadm batch -A : kick
Executable: /usr/bin/doveadm
Control Group: /user.slice/user-1000.slice/session-1.scope
Unit: session-1.scope
Slice: user-1000.slice
Session: 1
Owner UID: 1000 (benutzer)
Boot ID: b831f41ee9ac4b90ac996b4db60e7332
Machine ID: 9e5901179cfe4b73bc18669e6a6e0ab9
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.doveadm.0.b831f41ee9ac4b90ac996b4db60e7332.4030.1544177133.lz4
Message: Process 4030 (doveadm) of user 0 dumped core.
Stack trace of thread 4030:
#0 0x n/a (n/a)
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Bug#915411: dovecot-core: doveadm crashes with segmentation fault ('batch -A : kick')
Package: dovecot-core
Version: 1:2.2.27-3+deb9u2
Severity: normal
Hi there,
I see this with `doveadm batch`:
# doveadm batch -A : kick
Segmentation fault
Syslog says:
... doveadm[26542]: segfault at 0 ip (null) sp 7fff8fd322e8 error 14 in
doveadm[5635f51f+7e000]
Cheers,
sphakka
-- Package-specific info:
dovecot configuration
-
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-8-amd64 x86_64 Debian 9.6 ext4
auth_mechanisms = plain login
auth_verbose = yes
mail_debug = yes
mail_gid = vmail
mail_location = maildir:/srv/vmail/%d/%n
mail_plugins = " quota virtual"
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext spamtest spamtestplus virustest imapsieve
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Quarantine {
auto = subscribe
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
namespace virtual {
location = virtual:/srv/vmail/%d/%n/virtual:LAYOUT=maildir++
mailbox All {
auto = no
comment = All my messages
special_use = \All
}
prefix = virtual.
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = junk;Junk;Spam;SPAM
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = junk;Junk;Spam;SPAM
imapsieve_mailbox2_name = *
quota = maildir:User quota
quota_grace = 50M
quota_rule = *:storage=1GB
quota_rule2 = Trash:storage=+100MB
quota_rule3 = Junk:ignore
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
quota_warning3 = -storage=100%% quota-warning below %u
sieve = file:/srv/vmail/%d/%n/sieve;active=/srv/vmail/%d/%n/dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_default_name = default
sieve_extensions = +spamtest +spamtestplus +virustest
sieve_global = /var/lib/dovecot/sieve/
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /var/lib/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_spamtest_max_header = X-Spam-Status: ^.*?
score=-?[[:digit:]]+\.[[:digit:]] required=([[:digit:]]+\.[[:digit:]]).*$
sieve_spamtest_status_header = X-Spam-Status: ^.*?
score=(-?[[:digit:]]+\.[[:digit:]]).*$
sieve_spamtest_status_type = score
sieve_virustest_status_header = X-Virus-Status: ^(Clean|Infected).*?$
sieve_virustest_status_type = text
sieve_virustest_text_value1 = Clean
sieve_virustest_text_value5 = Infected
}
protocols = " imap lmtp sieve sieve"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
ssl = no
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
process_limit = 128
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/quota-status {
group = postfix
mode = 0600
user = postfix
}
}
service quota-warning {
executable = script /usr/local/bin/quota-warning
unix_listener quota-warning {
mode = 0600
user = vmail
}
}
ssl = required
ssl_cert =
ii dovecot-imapd 1:2.2.27-3+deb9u2
ii dovecot-ldap 1:2.2.27-3+deb9u2
ii dovecot-lmtpd 1:2.2.27-3+deb9u2
pn dovecot-lucene
ii dovecot-managesieved 1:2.2.27-3+deb9u2
pn dovecot-mysql
pn dovecot-pgsql
pn dovecot-pop3d
ii dovecot-sieve 1:2.2.27-3+deb9u2
pn dovecot-solr
pn dovecot-sqlite
pn ntp
Versions of packages dovecot-core is related to:
ii dovecot-core [dovecot-common] 1:2.2.27-3+deb9u2
pn dovecot-dbg
pn dovecot-dev
pn dovecot-gssapi
ii dovecot-imapd 1:2.2.27-3+deb9u2
ii
