[Dovecot] v2.0.13 problems after kernel patch for CVE-2011-1083 applied on Centos 5

Timo Sirainen tss at iki.fi
Sat Feb 25 02:39:15 EET 2012


On 25.2.2012, at 0.49, Doug Henderson wrote:

> [8irgehuq] CVE-2011-1083: Algorithmic denial of service in epoll.
> 
> After ksplice automatically installed the above patch on our mail servers, most/all IMAP/POP3 connections began experiencing time-outs trying to connect, or extreme timeouts in the auth procedure.

I'd guess this patch is already in new Linux kernel versions, so other people should have seen any problems caused by it?

> dovecot: pop3-login: Panic: epoll_ctl(add, 6) failed: Invalid argument
..
> Once this patch was removed, everything started working again.
> 
> Is it possible that dovecot is trying to re-add already-added connections to the polling list - which this specific 'patch' prevents?

It shouldn't be possible .. EPOLL_CTL_ADD is done only once, EPOLL_CTL_MOD is done afterwards. And if the same fd is attempted to be added/modded twice, Dovecot should assert-crash first in ioloop_iolist_add().



More information about the dovecot mailing list