[Dovecot] Command died with signal 11: "/usr/lib/dovecot/deliver"
Hello
I have problem with deliver dying with signal 11. I'm using postfix + dovecot devliver. If mailbox have many (100+) redirects in sieve or many other sieve rules deliver died. I have tested this in debian etch + dovecot 1.1.18 (compiled from sources) and debian lenny + dovecot 1.1.13 from backports.
Sep 7 13:58:19 mail postfix/pipe[5964]: AC6835938: to=test1@mx.domain, orig_to=test1@domain, relay=dovecot, delay=10, delays=0.06/0.01/0/10, dsn=5.3.0, status=bounced (Command died with signal 11: "/usr/lib/dovecot/deliver")
I try to debug by running deliver via gdbhelper:
GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"..."/tmp/deliver.sh": not in executable format: File format not recognized
Attaching to process 8557 Reading symbols from /bin/bash...(no debugging symbols found)...done. Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". Reading symbols from /lib/libncurses.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libncurses.so.5 Reading symbols from /lib/tls/i686/cmov/libdl.so.2... (no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libdl.so.2 Reading symbols from /lib/tls/i686/cmov/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libc.so.6 Reading symbols from /lib/ld-linux.so.2... (no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
(no debugging symbols found) 0xffffe410 in __kernel_vsyscall () (gdb) Signal Stop Print Pass to program Description SIGPIPE No Yes Yes Broken pipe (gdb) Signal Stop Print Pass to program Description SIGALRM No No Yes Alarm clock (gdb) Signal Stop Print Pass to program Description SIG32 No Yes Yes Real-time event 32 (gdb) Continuing.
Program received signal SIGSEGV, Segmentation fault. 0xb7e458d2 in free () from /lib/tls/i686/cmov/libc.so.6 (gdb) #0 0xb7e458d2 in free () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #1 0xbfb3aed4 in ?? () No symbol table info available. #2 0xffffeffc in ?? () No symbol table info available. #3 0xb7e4a45c in mtrace () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #4 0x08119ecc in ?? () No symbol table info available. #5 0xbfb3aed4 in ?? () No symbol table info available. #6 0xbfb3af18 in ?? () No symbol table info available. #7 0xbfb3aecc in ?? () No symbol table info available. #8 0x08118e50 in ?? () No symbol table info available. #9 0x08111f18 in ?? () No symbol table info available. #10 0xbfb3aed8 in ?? () No symbol table info available. #11 0x00000000 in ?? () No symbol table info available. (gdb) Detaching from program: /bin/bash, process 8557
my config
base_dir = /var/run/dovecot/ protocols = imap imaps pop3 pop3s disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:%h/Maildir mail_privileged_group = mail verbose_proctitle = yes first_valid_uid = 1000 protocol imap { mail_max_userip_connections = 10 mail_plugin_dir = /usr/lib/dovecot/modules/imap mail_plugins = quota imap_quota zlib imap_logout_format = bytes=%i/%o imap_client_workarounds = delay-newmail } protocol pop3 { pop3_uidl_format = %Mf mail_max_userip_connections = 3 mail_plugin_dir = /usr/lib/dovecot/modules/pop3 mail_plugins = quota zlib pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol lda { postmaster_address = postmaster@example.com mail_plugins = cmusieve quota mail_plugin_dir = /usr/lib/dovecot/modules/lda sieve_global_dir = /etc/ogicom/sieve/global/ deliver_log_format = msgid=%m: %$ (subject: %s, From: %f) auth_socket_path = /var/run/dovecot/auth-master } auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@+% auth default { mechanisms = plain login passdb sql { args = /etc/dovecot/dovecot-sql.user.conf } passdb sql { args = /etc/dovecot/dovecot-sql.alias.conf } userdb prefetch { } userdb prefetch { } userdb sql { args = /etc/dovecot/dovecot-sql.deliver.conf } user = root socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { } plugin { quota_rule = *:storage=5G quota = maildir }
There is a bug in dovecot code? Is there workaround?
-- Pozdrowienia Maciej Polewczynski Registered Linux user #117725 OGICOM Sp. z o.o., 61-131 Poznan, ul. Baraniaka 88 REGON 634407251, NIP 781-17-20-476, KRS 0000140692 kapital zakladowy: 410 000 PLN
On Tue, 2009-09-08 at 09:05 +0200, Maciej Polewczyński wrote:
Hello
I have problem with deliver dying with signal 11. I'm using postfix + dovecot devliver. If mailbox have many (100+) redirects in sieve or many other sieve rules deliver died. I have tested this in debian etch + dovecot 1.1.18 (compiled from sources) and debian lenny + dovecot 1.1.13 from backports.
Can you send me one such script that crashes it?
I try to debug by running deliver via gdbhelper: .. This GDB was configured as "i486-linux-gnu"..."/tmp/deliver.sh": not in executable format: File format not recognized
gdb is trying to open /tmp/deliver.sh instead of the actual deliver binary, so it wasn't set up right.
No symbol table info available. #1 0xbfb3aed4 in ?? ()
In general when you only see "??" lines in gdb backtrace it's not useful.
Timo Sirainen pisze:
On Tue, 2009-09-08 at 09:05 +0200, Maciej Polewczyński wrote:
Hello
I have problem with deliver dying with signal 11. I'm using postfix + dovecot devliver. If mailbox have many (100+) redirects in sieve or many other sieve rules deliver died. I have tested this in debian etch + dovecot 1.1.18 (compiled from sources) and debian lenny + dovecot 1.1.13 from backports.
Can you send me one such script that crashes it?
In .dovecot.sieve I have:
require ["regex", "fileinto", "include"];
include :personal ".forward.sieve";
if anyof ( address :matches "From" [ "email@somedomain.com" ], address :matches "To" [ "myemail@mydomain.com" ], header :contains "Subject" [ "some subject" ] ) { # many commented rules keep; stop; } else { many commented rules keep; stop; }
in .forward.sieve there are above hundred redirects
redirect "test.1@domain.pl"; redirect "test.2@domain.pl"; ... redirect "test.120@domain.pl"; redirect "test.121@domain.pl";
In debian etch deliver stoping redirectict about 80-90 address and dying with signal 11. In debian lenny deliver redirect to all addresses but also dying.
I try to debug by running deliver via gdbhelper:
..
This GDB was configured as "i486-linux-gnu"..."/tmp/deliver.sh": not in executable format: File format not recognized
gdb is trying to open /tmp/deliver.sh instead of the actual deliver binary, so it wasn't set up right.
No symbol table info available. #1 0xbfb3aed4 in ?? ()
In general when you only see "??" lines in gdb backtrace it's not useful.
I run deliver through gdbhelper in this way
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/gdbhelper /tmp/deliver.sh -d ${recipient} -f ${sender}
and in /tmp/deliver.sh
#!/bin/sh sleep 1 exec /usr/lib/dovecot/deliver $*
-- Pozdrowienia Maciej Polewczynski Registered Linux user #117725 OGICOM Sp. z o.o., 61-131 Poznan, ul. Baraniaka 88 REGON 634407251, NIP 781-17-20-476, KRS 0000140692 kapital zakladowy: 410 000 PLN
On Fri, 2009-09-11 at 12:20 +0200, Maciej Polewczyński wrote:
Can you send me one such script that crashes it?
In .dovecot.sieve I have: ..
I'll try to look into this sometimes soon, but getting gdb backtrace might get it fixed sooner.
I run deliver through gdbhelper in this way
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/gdbhelper /tmp/deliver.sh -d ${recipient} -f ${sender}
That means you're now trying to gdb deliver.sh, which doesn't work.
and in /tmp/deliver.sh
#!/bin/sh sleep 1 exec /usr/lib/dovecot/deliver $*
Instead add it above.
exec /usr/lib/dovecot/gdbhelper /usr/lib/dovecot/deliver $*
On Fri, 2009-09-11 at 12:20 +0200, Maciej Polewczyński wrote:
I have problem with deliver dying with signal 11. I'm using postfix + dovecot devliver. If mailbox have many (100+) redirects in sieve or many other sieve rules deliver died. I have tested this in debian etch + dovecot 1.1.18 (compiled from sources) and debian lenny + dovecot 1.1.13 from backports.
Interestingly enough this is because of the security hole in Cyrus libsieve that was recently found: https://bugzilla.redhat.com/show_bug.cgi?id=521010
And even more interesting is that I found at least one other really simple buffer overflow from the libsieve code. Wonder why I hadn't checked the libsieve code properly earlier..
So, Dovecot's fixes are here:
http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
I'll make new Dovecot Sieve releases and report the other new bug to Cyrus people..
participants (2)
-
Maciej Polewczyński
-
Timo Sirainen