Dear all,
I experience SegFaults in the imap binary on a LIST "" "" command, as sent by Claws mail. Using LIST "" "INBOX" or similar is fine. Here is an example telnet session
$ telnet 127.0.0.1 143 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. 01 LOGIN **** **** 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in 02 LIST "" "" Connection closed by foreign host.
In the log file
dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803 killed with signal 11 (core dumps disabled)
Please find the config below.
Best regards, Thorsten
$ doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (1dc4c73) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 auth_debug = yes auth_debug_passwords = yes auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes base_dir = /var/run/dovecot/ default_internal_user = pop first_valid_uid = 48 import_environment = TZ DEBUG=1 last_valid_uid = 48 login_trusted_networks = **** mail_debug = yes mail_gid = pop mail_plugins = " mail_log notify zlib quota" mail_uid = pop managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes list = children location = mailbox Drafts { auto = no special_use = \Drafts } mailbox Sent { auto = no special_use = \Sent } mailbox Trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox drafts { auto = no special_use = \Drafts } mailbox sent { auto = no special_use = \Sent } mailbox spamverdacht { auto = no autoexpunge = 30 days special_use = \Junk } mailbox trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox virenverdacht { auto = no autoexpunge = 30 days special_use = \Junk } prefix = INBOX. separator = . subscriptions = yes type = private } passdb { args = nopassword=y driver = static } plugin { last_login_dict = file:~/lastlogin mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = maildir:User quota quota_warning = storage=80%% 80 %u %{userdb:quota_bytes} quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes} quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes} sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf sieve_dir = ~/sieve sieve_plugins = sieve_storage_ldap zlib_save = gz zlib_save_level = 6 } service imap { executable = imap postlogin } service pop3 { executable = pop3 postlogin } service postlogin { executable = script-login -d rawlog } service quota-warning { executable = script /bin/quota-warning.sh } ssl = no userdb { args = /etc/dovecot/userdb-ldap.conf driver = ldap result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } userdb { default_fields = quota_bytes=42M driver = bdb_quota override_fields = quota_rule=*:bytes=%{userdb:quota_bytes} result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } verbose_proctitle = yes protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb mail_plugin_dir = /lib/dovecot/modules mail_plugins = " mail_log notify zlib quota sieve" } protocol imap { mail_plugins = " mail_log notify zlib quota imap_xauth last_login imap_quota" } protocol pop3 { mail_plugins = " mail_log notify zlib quota last_login" }
The Problem arises due to a NULL deref in mail_namespaces.c line 601. Backtrace below
x LIST "" ""
Program received signal SIGSEGV, Segmentation fault.
mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
(gdb) bt
#0 mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
#1 0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
client=0x65a590) at cmd-list.c:324
#2 cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461
#3 0x0000000000419825 in command_exec (cmd=cmd@entry=0x65aee0) at
imap-commands.c:181
#4 0x0000000000417de2 in client_command_input (cmd=cmd@entry=0x65aee0) at
imap-client.c:988
#5 0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
imap-client.c:1048
#6 0x00000000004181e5 in client_handle_next_command
(remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090
#7 client_handle_input (client=0x65a590) at imap-client.c:1102
#8 0x0000000000418692 in client_input (client=0x65a590) at
imap-client.c:1149
#9 0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589
#10 0x00007ffff762ab4a in io_loop_handler_run_internal
(ioloop=ioloop@entry=0x63e7f0)
at ioloop-epoll.c:222
#11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop@entry=0x63e7f0)
at ioloop.c:637
#12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613
#13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
callback=callback@entry=0x423d40
On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater thorsten.hater@gmail.com wrote:
Dear all,
I experience SegFaults in the imap binary on a LIST "" "" command, as sent by Claws mail. Using LIST "" "INBOX" or similar is fine. Here is an example telnet session
$ telnet 127.0.0.1 143 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. 01 LOGIN **** **** 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in 02 LIST "" "" Connection closed by foreign host.
In the log file
dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803 killed with signal 11 (core dumps disabled)
Please find the config below.
Best regards, Thorsten
$ doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (1dc4c73) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 auth_debug = yes auth_debug_passwords = yes auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes base_dir = /var/run/dovecot/ default_internal_user = pop first_valid_uid = 48 import_environment = TZ DEBUG=1 last_valid_uid = 48 login_trusted_networks = **** mail_debug = yes mail_gid = pop mail_plugins = " mail_log notify zlib quota" mail_uid = pop managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes list = children location = mailbox Drafts { auto = no special_use = \Drafts } mailbox Sent { auto = no special_use = \Sent } mailbox Trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox drafts { auto = no special_use = \Drafts } mailbox sent { auto = no special_use = \Sent } mailbox spamverdacht { auto = no autoexpunge = 30 days special_use = \Junk } mailbox trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox virenverdacht { auto = no autoexpunge = 30 days special_use = \Junk } prefix = INBOX. separator = . subscriptions = yes type = private } passdb { args = nopassword=y driver = static } plugin { last_login_dict = file:~/lastlogin mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = maildir:User quota quota_warning = storage=80%% 80 %u %{userdb:quota_bytes} quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes} quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes} sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf sieve_dir = ~/sieve sieve_plugins = sieve_storage_ldap zlib_save = gz zlib_save_level = 6 } service imap { executable = imap postlogin } service pop3 { executable = pop3 postlogin } service postlogin { executable = script-login -d rawlog } service quota-warning { executable = script /bin/quota-warning.sh } ssl = no userdb { args = /etc/dovecot/userdb-ldap.conf driver = ldap result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } userdb { default_fields = quota_bytes=42M driver = bdb_quota override_fields = quota_rule=*:bytes=%{userdb:quota_bytes} result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } verbose_proctitle = yes protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb mail_plugin_dir = /lib/dovecot/modules mail_plugins = " mail_log notify zlib quota sieve" } protocol imap { mail_plugins = " mail_log notify zlib quota imap_xauth last_login imap_quota" } protocol pop3 { mail_plugins = " mail_log notify zlib quota last_login" }
On 19.01.2017 15:56, Thorsten Hater wrote:
The Problem arises due to a NULL deref in mail_namespaces.c line 601. Backtrace below
x LIST "" ""
Program received signal SIGSEGV, Segmentation fault. mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0) (gdb) bt #0 mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601 #1 0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "", client=0x65a590) at cmd-list.c:324 #2 cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461 #3 0x0000000000419825 in command_exec (cmd=cmd@entry=0x65aee0) at imap-commands.c:181 #4 0x0000000000417de2 in client_command_input (cmd=cmd@entry=0x65aee0) at imap-client.c:988 #5 0x0000000000417e70 in client_command_input (cmd=0x65aee0) at imap-client.c:1048 #6 0x00000000004181e5 in client_handle_next_command (remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090 #7 client_handle_input (client=0x65a590) at imap-client.c:1102 #8 0x0000000000418692 in client_input (client=0x65a590) at imap-client.c:1149 #9 0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589 #10 0x00007ffff762ab4a in io_loop_handler_run_internal (ioloop=ioloop@entry=0x63e7f0) at ioloop-epoll.c:222 #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop@entry=0x63e7f0) at ioloop.c:637 #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613 #13 0x00007ffff75b9823 in master_service_run (service=0x63e690, callback=callback@entry=0x423d40
) at master-service.c:641 #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460 On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater thorsten.hater@gmail.com wrote:
Dear all,
I experience SegFaults in the imap binary on a LIST "" "" command, as sent by Claws mail. Using LIST "" "INBOX" or similar is fine. Here is an example telnet session
$ telnet 127.0.0.1 143 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. 01 LOGIN **** **** 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in 02 LIST "" "" Connection closed by foreign host.
In the log file
dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803 killed with signal 11 (core dumps disabled)
Please find the config below.
Best regards, Thorsten
$ doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (1dc4c73) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 auth_debug = yes auth_debug_passwords = yes auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes base_dir = /var/run/dovecot/ default_internal_user = pop first_valid_uid = 48 import_environment = TZ DEBUG=1 last_valid_uid = 48 login_trusted_networks = **** mail_debug = yes mail_gid = pop mail_plugins = " mail_log notify zlib quota" mail_uid = pop managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes list = children location = mailbox Drafts { auto = no special_use = \Drafts } mailbox Sent { auto = no special_use = \Sent } mailbox Trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox drafts { auto = no special_use = \Drafts } mailbox sent { auto = no special_use = \Sent } mailbox spamverdacht { auto = no autoexpunge = 30 days special_use = \Junk } mailbox trash { auto = no autoexpunge = 30 days special_use = \Trash } mailbox virenverdacht { auto = no autoexpunge = 30 days special_use = \Junk } prefix = INBOX. separator = . subscriptions = yes type = private } passdb { args = nopassword=y driver = static } plugin { last_login_dict = file:~/lastlogin mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = maildir:User quota quota_warning = storage=80%% 80 %u %{userdb:quota_bytes} quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes} quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes} sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf sieve_dir = ~/sieve sieve_plugins = sieve_storage_ldap zlib_save = gz zlib_save_level = 6 } service imap { executable = imap postlogin } service pop3 { executable = pop3 postlogin } service postlogin { executable = script-login -d rawlog } service quota-warning { executable = script /bin/quota-warning.sh } ssl = no userdb { args = /etc/dovecot/userdb-ldap.conf driver = ldap result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } userdb { default_fields = quota_bytes=42M driver = bdb_quota override_fields = quota_rule=*:bytes=%{userdb:quota_bytes} result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } verbose_proctitle = yes protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb mail_plugin_dir = /lib/dovecot/modules mail_plugins = " mail_log notify zlib quota sieve" } protocol imap { mail_plugins = " mail_log notify zlib quota imap_xauth last_login imap_quota" } protocol pop3 { mail_plugins = " mail_log notify zlib quota last_login" }
Hi!
We are looking into this crash.
Are you intentionally setting inbox namespace location to empty?
Aki
participants (2)
-
Aki Tuomi
-
Thorsten Hater