[Dovecot] imap-login: memory corruption

Timo Sirainen tss at iki.fi
Fri Jan 16 04:41:53 EET 2009


On Jan 15, 2009, at 7:28 PM, Ralf Hildebrandt wrote:

Well..

> ==10780== Invalid write of size 1
> ==10780==    at 0x402499E: memcpy (mc_replace_strmem.c:402)
> ==10780==    by 0x805B000: pool_system_clean_realloc (mempool-system- 
> clean.c:149)
> ==10780==    by 0x804FC09: ssl_clean_realloc (ssl-proxy-openssl.c:729)

I did find that pool_system_clean_realloc() didn't handle shrinking  
the memory area, fixed: http://hg.dovecot.org/dovecot-1.1/rev/17c73b14ed9d

But I'm not sure if that really caused the problem, because it only  
says invalid size of 1. More likely valgrind just doesn't like that I  
use glibc-specific malloc_usable_size(). I think I noticed the same  
problem before too. So to avoid these you should disable using the  
clean pool (perhaps I should disable it entirely by default - it's not  
useful after all for what I originally thought it would have been):

diff -r 17c73b14ed9d src/login-common/main.c
--- a/src/login-common/main.c   Thu Jan 15 21:36:26 2009 -0500
+++ b/src/login-common/main.c   Thu Jan 15 21:40:12 2009 -0500
@@ -413,8 +413,8 @@ int main(int argc ATTR_UNUSED, char *arg
            processes pretty safe to reuse for new connections since the
            attacker won't be able to find anything interesting from the
            memory. */
-       default_pool = system_clean_pool;
-       data_stack_set_clean_after_pop(TRUE);
+       /*default_pool = system_clean_pool;
+       data_stack_set_clean_after_pop(TRUE);*/

         /* NOTE: we start rooted, so keep the code minimal until
            restrict_access_by_env() is called */


Then again perhaps using the clean pool really is the problem. You  
could just see if after applying the above patch it runs without  
crashes even without valgrind.


More information about the dovecot mailing list