Segfault on LIST Command

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jan 23 10:00:50 UTC 2017


Thank you for your report.

Aki

On 23.01.2017 11:56, Thorsten Hater wrote:
> OK, I found the problem in my config. If I use an default namespace with an
> empty
> name, instead of "inbox" it works as expected. Here the log for this case
>
> Starting program: /usr/local/libexec/dovecot/imap -u ****
> imap(****): Debug: auth input: **** home=**** uid=48 gid=48
> quota_rule=*:bytes=1000M
> imap(****): Debug: Added userdb setting: plugin/quota_rule=*:bytes=1000M
> Debug: Effective uid=48, gid=48, home=****
> Debug: Namespace : type=private, prefix=INBOX., sep=., inbox=yes,
> hidden=no, list=children, subscriptions=yes location=maildir:~/Maildir
> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=,
> inbox=****/Maildir, alt=
> Debug: Namespace inbox: type=private, prefix=, sep=, inbox=no, hidden=no,
> list=yes, subscriptions=yes location=maildir:~/Maildir
> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=, inbox=,
> alt=
> * PREAUTH [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
> CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in as ****
> x LIST "" ""
> * LIST (\Noselect) "." ""
> x OK List completed (0.000 + 0.000 secs).
>
>
>
> On Mon, Jan 23, 2017 at 10:46 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>> I'll try reproduce this issue, but can you, in the mean time, run this
>> with mail_debug=yes and provide logs?
>>
>> Aki
>>
>> On 23.01.2017 11:45, Thorsten Hater wrote:
>>> Hi,
>>>
>>> I did added the default location and stripped down my config to a very
>>> basic
>>> level, dropping all plugins and database queries, see below. The segfault
>>> still
>>> appears in the same location.
>>> As I have build from source, I wonder whether you can reproduce the
>> problem?
>>> Thorsten
>>>
>>> $  doveconf -n
>>> # 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>> # OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
>>> auth_debug = yes
>>> auth_debug_passwords = yes
>>> auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>> auth_verbose = yes
>>> base_dir = /usr/local/var/run/dovecot/
>>> default_internal_user = pop
>>> first_valid_uid = 48
>>> import_environment = TZ DEBUG=1
>>> last_valid_uid = 48
>>> login_greeting = Dovecot ready.
>>> login_trusted_networks = ****
>>> mail_debug = yes
>>> mail_gid = pop
>>> mail_location = maildir:~/Maildir
>>> mail_plugin_dir = /usr/local/lib/dovecot/
>>> mail_uid = pop
>>> managesieve_notify_capability = mailto
>>> managesieve_sieve_capability = fileinto reject envelope encoded-character
>>> vacation subaddress comparator-i;ascii-numeric relational regex
>> imap4flags
>>> copy include variables body enotify environment mailbox date index ihave
>>> duplicate mime foreverypart extracttext
>>> namespace inbox {
>>>   inbox = yes
>>>   list = children
>>>   location = maildir:~/Maildir
>>>   prefix = INBOX.
>>>   separator = .
>>>   subscriptions = yes
>>>   type = private
>>> }
>>> passdb {
>>>   args = nopassword=yes
>>>   driver = static
>>> }
>>> protocols = imap pop3 lmtp imap pop3
>>> ssl = no
>>> userdb {
>>>   args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
>>>   driver = static
>>> }
>>> verbose_proctitle = yes
>>> protocol lda {
>>>   auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>> }
>>>
>>>
>>> On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <
>> thorsten.hater at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> thanks for picking this up. The location is pulled from the database,
>> but
>>>> is uniform
>>>> for all users, so I could set it to maildir:~/Maildir globally. Assuming
>>>> ~ is expanded
>>>> later on with userdb data. So, no, there is no special intention behind
>>>> this.
>>>>
>>>> Thorsten
>>>>
>>>> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi>
>> wrote:
>>>>> On 19.01.2017 15:56, Thorsten Hater wrote:
>>>>>> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
>>>>>> Backtrace below
>>>>>>
>>>>>> x LIST "" ""
>>>>>>
>>>>>> Program received signal SIGSEGV, Segmentation fault.
>>>>>> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
>>>>>> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
>>>>>> (gdb) bt
>>>>>> #0  mail_namespaces_get_root_sep (namespaces=0x0) at
>>>>> mail-namespace.c:601
>>>>>> #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
>>>>>> client=0x65a590) at cmd-list.c:324
>>>>>> #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at
>> cmd-list.c:461
>>>>>> #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
>>>>>> imap-commands.c:181
>>>>>> #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry
>> =0x65aee0)
>>>>> at
>>>>>> imap-client.c:988
>>>>>> #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
>>>>>> imap-client.c:1048
>>>>>> #6  0x00000000004181e5 in client_handle_next_command
>>>>>> (remove_io_r=<synthetic pointer>, client=0x65a590) at
>> imap-client.c:1090
>>>>>> #7  client_handle_input (client=0x65a590) at imap-client.c:1102
>>>>>> #8  0x0000000000418692 in client_input (client=0x65a590) at
>>>>>> imap-client.c:1149
>>>>>> #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at
>> ioloop.c:589
>>>>>> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
>>>>>> (ioloop=ioloop at entry=0x63e7f0)
>>>>>> at ioloop-epoll.c:222
>>>>>> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
>>>>> =0x63e7f0)
>>>>>> at ioloop.c:637
>>>>>> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at
>> ioloop.c:613
>>>>>> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
>>>>>> callback=callback at entry=0x423d40 <client_connected>) at
>>>>> master-service.c:641
>>>>>> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>>>>>>
>>>>>> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
>>>>> thorsten.hater at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Dear all,
>>>>>>>
>>>>>>> I experience SegFaults in the imap binary on a LIST "" "" command,
>>>>>>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>>>>>>> Here is an example telnet session
>>>>>>>
>>>>>>> $ telnet 127.0.0.1 143
>>>>>>> Trying 127.0.0.1...
>>>>>>> Connected to 127.0.0.1.
>>>>>>> Escape character is '^]'.
>>>>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>>>> IDLE
>>>>>>> AUTH=PLAIN] Dovecot ready.
>>>>>>> 01 LOGIN **** ****
>>>>>>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
>> ENABLE
>>>>>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
>>>>> THREAD=ORDEREDSUBJECT
>>>>>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>>>>>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
>>>>> WITHIN
>>>>>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>>>>>>> 02 LIST "" ""
>>>>>>> Connection closed by foreign host.
>>>>>>>
>>>>>>> In the log file
>>>>>>>
>>>>>>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
>>>>> killed
>>>>>>> with signal 11 (core dumps disabled)
>>>>>>>
>>>>>>> Please find the config below.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>  Thorsten
>>>>>>>
>>>>>>> $ doveconf -n
>>>>>>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>>>>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>>>>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>>>>>>> auth_debug = yes
>>>>>>> auth_debug_passwords = yes
>>>>>>> auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>> auth_verbose = yes
>>>>>>> base_dir = /var/run/dovecot/
>>>>>>> default_internal_user = pop
>>>>>>> first_valid_uid = 48
>>>>>>> import_environment = TZ DEBUG=1
>>>>>>> last_valid_uid = 48
>>>>>>> login_trusted_networks = ****
>>>>>>> mail_debug = yes
>>>>>>> mail_gid = pop
>>>>>>> mail_plugins = " mail_log notify zlib quota"
>>>>>>> mail_uid = pop
>>>>>>> managesieve_notify_capability = mailto
>>>>>>> managesieve_sieve_capability = fileinto reject envelope
>>>>> encoded-character
>>>>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>>>> imap4flags
>>>>>>> copy include variables body enotify environment mailbox date index
>>>>> ihave
>>>>>>> duplicate mime foreverypart extracttext
>>>>>>> namespace inbox {
>>>>>>>   inbox = yes
>>>>>>>   list = children
>>>>>>>   location =
>>>>>>>   mailbox Drafts {
>>>>>>>     auto = no
>>>>>>>     special_use = \Drafts
>>>>>>>   }
>>>>>>>   mailbox Sent {
>>>>>>>     auto = no
>>>>>>>     special_use = \Sent
>>>>>>>   }
>>>>>>>   mailbox Trash {
>>>>>>>     auto = no
>>>>>>>     autoexpunge = 30 days
>>>>>>>     special_use = \Trash
>>>>>>>   }
>>>>>>>   mailbox drafts {
>>>>>>>     auto = no
>>>>>>>     special_use = \Drafts
>>>>>>>   }
>>>>>>>   mailbox sent {
>>>>>>>     auto = no
>>>>>>>     special_use = \Sent
>>>>>>>   }
>>>>>>>   mailbox spamverdacht {
>>>>>>>     auto = no
>>>>>>>     autoexpunge = 30 days
>>>>>>>     special_use = \Junk
>>>>>>>   }
>>>>>>>   mailbox trash {
>>>>>>>     auto = no
>>>>>>>     autoexpunge = 30 days
>>>>>>>     special_use = \Trash
>>>>>>>   }
>>>>>>>   mailbox virenverdacht {
>>>>>>>     auto = no
>>>>>>>     autoexpunge = 30 days
>>>>>>>     special_use = \Junk
>>>>>>>   }
>>>>>>>   prefix = INBOX.
>>>>>>>   separator = .
>>>>>>>   subscriptions = yes
>>>>>>>   type = private
>>>>>>> }
>>>>>>> passdb {
>>>>>>>   args = nopassword=y
>>>>>>>   driver = static
>>>>>>> }
>>>>>>> plugin {
>>>>>>>   last_login_dict = file:~/lastlogin
>>>>>>>   mail_log_events = delete undelete expunge copy mailbox_delete
>>>>>>> mailbox_rename
>>>>>>>   mail_log_fields = uid box msgid size
>>>>>>>   quota = maildir:User quota
>>>>>>>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>>>>>>>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>>>>>>>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>>>>>>>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>>>>>>>   sieve_dir = ~/sieve
>>>>>>>   sieve_plugins = sieve_storage_ldap
>>>>>>>   zlib_save = gz
>>>>>>>   zlib_save_level = 6
>>>>>>> }
>>>>>>> service imap {
>>>>>>>   executable = imap postlogin
>>>>>>> }
>>>>>>> service pop3 {
>>>>>>>   executable = pop3 postlogin
>>>>>>> }
>>>>>>> service postlogin {
>>>>>>>   executable = script-login -d rawlog
>>>>>>> }
>>>>>>> service quota-warning {
>>>>>>>   executable = script /bin/quota-warning.sh
>>>>>>> }
>>>>>>> ssl = no
>>>>>>> userdb {
>>>>>>>   args = /etc/dovecot/userdb-ldap.conf
>>>>>>>   driver = ldap
>>>>>>>   result_failure = return-fail
>>>>>>>   result_internalfail = return-fail
>>>>>>>   result_success = continue-ok
>>>>>>> }
>>>>>>> userdb {
>>>>>>>   default_fields = quota_bytes=42M
>>>>>>>   driver = bdb_quota
>>>>>>>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>>>>>>>   result_failure = return-fail
>>>>>>>   result_internalfail = return-fail
>>>>>>>   result_success = continue-ok
>>>>>>> }
>>>>>>> verbose_proctitle = yes
>>>>>>> protocol lda {
>>>>>>>   auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>>   mail_plugin_dir = /lib/dovecot/modules
>>>>>>>   mail_plugins = " mail_log notify zlib quota sieve"
>>>>>>> }
>>>>>>> protocol imap {
>>>>>>>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>>>>>>> imap_quota"
>>>>>>> }
>>>>>>> protocol pop3 {
>>>>>>>   mail_plugins = " mail_log notify zlib quota last_login"
>>>>>>> }
>>>>>>>
>>>>> Hi!
>>>>>
>>>>> We are looking into this crash.
>>>>>
>>>>> Are you intentionally setting inbox namespace location to empty?
>>>>>
>>>>> Aki
>>>>>


More information about the dovecot mailing list