Segfault on LIST Command

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jan 23 10:05:48 UTC 2017


Sorry, with

67bb90d lib-storage: Fail if no namespaces have list=yes

Aki

On 23.01.2017 12:05, Aki Tuomi wrote:
> This is fixed in 2.2.27 with ddc96f7 lib-storage: Fixed error handling
> in list=children checking
>
> Aki
>
> On 23.01.2017 12:00, Aki Tuomi wrote:
>> Thank you for your report.
>>
>> Aki
>>
>> On 23.01.2017 11:56, Thorsten Hater wrote:
>>> OK, I found the problem in my config. If I use an default namespace with an
>>> empty
>>> name, instead of "inbox" it works as expected. Here the log for this case
>>>
>>> Starting program: /usr/local/libexec/dovecot/imap -u ****
>>> imap(****): Debug: auth input: **** home=**** uid=48 gid=48
>>> quota_rule=*:bytes=1000M
>>> imap(****): Debug: Added userdb setting: plugin/quota_rule=*:bytes=1000M
>>> Debug: Effective uid=48, gid=48, home=****
>>> Debug: Namespace : type=private, prefix=INBOX., sep=., inbox=yes,
>>> hidden=no, list=children, subscriptions=yes location=maildir:~/Maildir
>>> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=,
>>> inbox=****/Maildir, alt=
>>> Debug: Namespace inbox: type=private, prefix=, sep=, inbox=no, hidden=no,
>>> list=yes, subscriptions=yes location=maildir:~/Maildir
>>> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=, inbox=,
>>> alt=
>>> * PREAUTH [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in as ****
>>> x LIST "" ""
>>> * LIST (\Noselect) "." ""
>>> x OK List completed (0.000 + 0.000 secs).
>>>
>>>
>>>
>>> On Mon, Jan 23, 2017 at 10:46 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>
>>>> I'll try reproduce this issue, but can you, in the mean time, run this
>>>> with mail_debug=yes and provide logs?
>>>>
>>>> Aki
>>>>
>>>> On 23.01.2017 11:45, Thorsten Hater wrote:
>>>>> Hi,
>>>>>
>>>>> I did added the default location and stripped down my config to a very
>>>>> basic
>>>>> level, dropping all plugins and database queries, see below. The segfault
>>>>> still
>>>>> appears in the same location.
>>>>> As I have build from source, I wonder whether you can reproduce the
>>>> problem?
>>>>> Thorsten
>>>>>
>>>>> $  doveconf -n
>>>>> # 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
>>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>>> # OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
>>>>> auth_debug = yes
>>>>> auth_debug_passwords = yes
>>>>> auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>>>> auth_verbose = yes
>>>>> base_dir = /usr/local/var/run/dovecot/
>>>>> default_internal_user = pop
>>>>> first_valid_uid = 48
>>>>> import_environment = TZ DEBUG=1
>>>>> last_valid_uid = 48
>>>>> login_greeting = Dovecot ready.
>>>>> login_trusted_networks = ****
>>>>> mail_debug = yes
>>>>> mail_gid = pop
>>>>> mail_location = maildir:~/Maildir
>>>>> mail_plugin_dir = /usr/local/lib/dovecot/
>>>>> mail_uid = pop
>>>>> managesieve_notify_capability = mailto
>>>>> managesieve_sieve_capability = fileinto reject envelope encoded-character
>>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>>> imap4flags
>>>>> copy include variables body enotify environment mailbox date index ihave
>>>>> duplicate mime foreverypart extracttext
>>>>> namespace inbox {
>>>>>   inbox = yes
>>>>>   list = children
>>>>>   location = maildir:~/Maildir
>>>>>   prefix = INBOX.
>>>>>   separator = .
>>>>>   subscriptions = yes
>>>>>   type = private
>>>>> }
>>>>> passdb {
>>>>>   args = nopassword=yes
>>>>>   driver = static
>>>>> }
>>>>> protocols = imap pop3 lmtp imap pop3
>>>>> ssl = no
>>>>> userdb {
>>>>>   args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
>>>>>   driver = static
>>>>> }
>>>>> verbose_proctitle = yes
>>>>> protocol lda {
>>>>>   auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>>>> }
>>>>>
>>>>>
>>>>> On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <
>>>> thorsten.hater at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> thanks for picking this up. The location is pulled from the database,
>>>> but
>>>>>> is uniform
>>>>>> for all users, so I could set it to maildir:~/Maildir globally. Assuming
>>>>>> ~ is expanded
>>>>>> later on with userdb data. So, no, there is no special intention behind
>>>>>> this.
>>>>>>
>>>>>> Thorsten
>>>>>>
>>>>>> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi>
>>>> wrote:
>>>>>>> On 19.01.2017 15:56, Thorsten Hater wrote:
>>>>>>>> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
>>>>>>>> Backtrace below
>>>>>>>>
>>>>>>>> x LIST "" ""
>>>>>>>>
>>>>>>>> Program received signal SIGSEGV, Segmentation fault.
>>>>>>>> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
>>>>>>>> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
>>>>>>>> (gdb) bt
>>>>>>>> #0  mail_namespaces_get_root_sep (namespaces=0x0) at
>>>>>>> mail-namespace.c:601
>>>>>>>> #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
>>>>>>>> client=0x65a590) at cmd-list.c:324
>>>>>>>> #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at
>>>> cmd-list.c:461
>>>>>>>> #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
>>>>>>>> imap-commands.c:181
>>>>>>>> #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry
>>>> =0x65aee0)
>>>>>>> at
>>>>>>>> imap-client.c:988
>>>>>>>> #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
>>>>>>>> imap-client.c:1048
>>>>>>>> #6  0x00000000004181e5 in client_handle_next_command
>>>>>>>> (remove_io_r=<synthetic pointer>, client=0x65a590) at
>>>> imap-client.c:1090
>>>>>>>> #7  client_handle_input (client=0x65a590) at imap-client.c:1102
>>>>>>>> #8  0x0000000000418692 in client_input (client=0x65a590) at
>>>>>>>> imap-client.c:1149
>>>>>>>> #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at
>>>> ioloop.c:589
>>>>>>>> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
>>>>>>>> (ioloop=ioloop at entry=0x63e7f0)
>>>>>>>> at ioloop-epoll.c:222
>>>>>>>> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
>>>>>>> =0x63e7f0)
>>>>>>>> at ioloop.c:637
>>>>>>>> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at
>>>> ioloop.c:613
>>>>>>>> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
>>>>>>>> callback=callback at entry=0x423d40 <client_connected>) at
>>>>>>> master-service.c:641
>>>>>>>> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>>>>>>>>
>>>>>>>> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
>>>>>>> thorsten.hater at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Dear all,
>>>>>>>>>
>>>>>>>>> I experience SegFaults in the imap binary on a LIST "" "" command,
>>>>>>>>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>>>>>>>>> Here is an example telnet session
>>>>>>>>>
>>>>>>>>> $ telnet 127.0.0.1 143
>>>>>>>>> Trying 127.0.0.1...
>>>>>>>>> Connected to 127.0.0.1.
>>>>>>>>> Escape character is '^]'.
>>>>>>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>>>>>> IDLE
>>>>>>>>> AUTH=PLAIN] Dovecot ready.
>>>>>>>>> 01 LOGIN **** ****
>>>>>>>>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
>>>> ENABLE
>>>>>>>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
>>>>>>> THREAD=ORDEREDSUBJECT
>>>>>>>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>>>>>>>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
>>>>>>> WITHIN
>>>>>>>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>>>>>>>>> 02 LIST "" ""
>>>>>>>>> Connection closed by foreign host.
>>>>>>>>>
>>>>>>>>> In the log file
>>>>>>>>>
>>>>>>>>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
>>>>>>> killed
>>>>>>>>> with signal 11 (core dumps disabled)
>>>>>>>>>
>>>>>>>>> Please find the config below.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>>  Thorsten
>>>>>>>>>
>>>>>>>>> $ doveconf -n
>>>>>>>>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>>>>>>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>>>>>>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>>>>>>>>> auth_debug = yes
>>>>>>>>> auth_debug_passwords = yes
>>>>>>>>> auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>>>> auth_verbose = yes
>>>>>>>>> base_dir = /var/run/dovecot/
>>>>>>>>> default_internal_user = pop
>>>>>>>>> first_valid_uid = 48
>>>>>>>>> import_environment = TZ DEBUG=1
>>>>>>>>> last_valid_uid = 48
>>>>>>>>> login_trusted_networks = ****
>>>>>>>>> mail_debug = yes
>>>>>>>>> mail_gid = pop
>>>>>>>>> mail_plugins = " mail_log notify zlib quota"
>>>>>>>>> mail_uid = pop
>>>>>>>>> managesieve_notify_capability = mailto
>>>>>>>>> managesieve_sieve_capability = fileinto reject envelope
>>>>>>> encoded-character
>>>>>>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>>>>>> imap4flags
>>>>>>>>> copy include variables body enotify environment mailbox date index
>>>>>>> ihave
>>>>>>>>> duplicate mime foreverypart extracttext
>>>>>>>>> namespace inbox {
>>>>>>>>>   inbox = yes
>>>>>>>>>   list = children
>>>>>>>>>   location =
>>>>>>>>>   mailbox Drafts {
>>>>>>>>>     auto = no
>>>>>>>>>     special_use = \Drafts
>>>>>>>>>   }
>>>>>>>>>   mailbox Sent {
>>>>>>>>>     auto = no
>>>>>>>>>     special_use = \Sent
>>>>>>>>>   }
>>>>>>>>>   mailbox Trash {
>>>>>>>>>     auto = no
>>>>>>>>>     autoexpunge = 30 days
>>>>>>>>>     special_use = \Trash
>>>>>>>>>   }
>>>>>>>>>   mailbox drafts {
>>>>>>>>>     auto = no
>>>>>>>>>     special_use = \Drafts
>>>>>>>>>   }
>>>>>>>>>   mailbox sent {
>>>>>>>>>     auto = no
>>>>>>>>>     special_use = \Sent
>>>>>>>>>   }
>>>>>>>>>   mailbox spamverdacht {
>>>>>>>>>     auto = no
>>>>>>>>>     autoexpunge = 30 days
>>>>>>>>>     special_use = \Junk
>>>>>>>>>   }
>>>>>>>>>   mailbox trash {
>>>>>>>>>     auto = no
>>>>>>>>>     autoexpunge = 30 days
>>>>>>>>>     special_use = \Trash
>>>>>>>>>   }
>>>>>>>>>   mailbox virenverdacht {
>>>>>>>>>     auto = no
>>>>>>>>>     autoexpunge = 30 days
>>>>>>>>>     special_use = \Junk
>>>>>>>>>   }
>>>>>>>>>   prefix = INBOX.
>>>>>>>>>   separator = .
>>>>>>>>>   subscriptions = yes
>>>>>>>>>   type = private
>>>>>>>>> }
>>>>>>>>> passdb {
>>>>>>>>>   args = nopassword=y
>>>>>>>>>   driver = static
>>>>>>>>> }
>>>>>>>>> plugin {
>>>>>>>>>   last_login_dict = file:~/lastlogin
>>>>>>>>>   mail_log_events = delete undelete expunge copy mailbox_delete
>>>>>>>>> mailbox_rename
>>>>>>>>>   mail_log_fields = uid box msgid size
>>>>>>>>>   quota = maildir:User quota
>>>>>>>>>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>>>>>>>>>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>>>>>>>>>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>>>>>>>>>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>>>>>>>>>   sieve_dir = ~/sieve
>>>>>>>>>   sieve_plugins = sieve_storage_ldap
>>>>>>>>>   zlib_save = gz
>>>>>>>>>   zlib_save_level = 6
>>>>>>>>> }
>>>>>>>>> service imap {
>>>>>>>>>   executable = imap postlogin
>>>>>>>>> }
>>>>>>>>> service pop3 {
>>>>>>>>>   executable = pop3 postlogin
>>>>>>>>> }
>>>>>>>>> service postlogin {
>>>>>>>>>   executable = script-login -d rawlog
>>>>>>>>> }
>>>>>>>>> service quota-warning {
>>>>>>>>>   executable = script /bin/quota-warning.sh
>>>>>>>>> }
>>>>>>>>> ssl = no
>>>>>>>>> userdb {
>>>>>>>>>   args = /etc/dovecot/userdb-ldap.conf
>>>>>>>>>   driver = ldap
>>>>>>>>>   result_failure = return-fail
>>>>>>>>>   result_internalfail = return-fail
>>>>>>>>>   result_success = continue-ok
>>>>>>>>> }
>>>>>>>>> userdb {
>>>>>>>>>   default_fields = quota_bytes=42M
>>>>>>>>>   driver = bdb_quota
>>>>>>>>>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>>>>>>>>>   result_failure = return-fail
>>>>>>>>>   result_internalfail = return-fail
>>>>>>>>>   result_success = continue-ok
>>>>>>>>> }
>>>>>>>>> verbose_proctitle = yes
>>>>>>>>> protocol lda {
>>>>>>>>>   auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>>>>   mail_plugin_dir = /lib/dovecot/modules
>>>>>>>>>   mail_plugins = " mail_log notify zlib quota sieve"
>>>>>>>>> }
>>>>>>>>> protocol imap {
>>>>>>>>>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>>>>>>>>> imap_quota"
>>>>>>>>> }
>>>>>>>>> protocol pop3 {
>>>>>>>>>   mail_plugins = " mail_log notify zlib quota last_login"
>>>>>>>>> }
>>>>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> We are looking into this crash.
>>>>>>>
>>>>>>> Are you intentionally setting inbox namespace location to empty?
>>>>>>>
>>>>>>> Aki
>>>>>>>



More information about the dovecot mailing list