[Dovecot] 1.1r1: auth-worker(default): BUG: PASSV had missing parameters, sig11
I don't know how this happened. I'm not sure if there is a coredump somewhere because I don't know what user, and I have nothing for 'root' or 'dovecot'. Any advice, or should I make all my coredumps go to a central writable directory so I have better chance of catching it if it happens again? Is it maybe from someone connecting to postfix and causing a SMTP-AUTH to timeout? Although that is unlikely because users should not know how to reach this server's SMTP ports. I cut most of the surrounding log entries below because they seemed unrelated normal activity, but two of the lines below I left because of the timestamp.
socket: type: listen client: path: /var/spool/postfix/private/auth mode: 384 user: postfix group: postfix
Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
missing parameters
Mar 8 17:03:47 boomhauer dovecot: auth-worker(default): BUG: PASSV had
missing parameters
Mar 8 17:05:17 boomhauer dovecot: imap-login: Disconnected: Inactivity:
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
Mar 8 17:06:47 boomhauer dovecot: imap-login: Disconnected: Inactivity:
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 8 17:06:47 boomhauer dovecot: child 72857 (login) killed with signal 11
On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters
Thanks, I kept trying to figure out what caused this and then started wondering about password escaping and found the security hole. I still hadn't figured out what caused this though, until I realized that passwords can have linefeeds as well which can cause this.
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
This still shouldn't happen though. I didn't try to reproduce this yet.
It's anyway quite difficult to get core dumps out of login processes. I'm not sure if FreeBSD lets you do that in some special way, but there are at least two things in the way:
Kernel thinks it's a setuid program, and setuid programs don't core dump.
It's chrooted to a non-writable directory.
Timo Sirainen wrote:
On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had missing parameters
Thanks, I kept trying to figure out what caused this and then started wondering about password escaping and found the security hole. I still hadn't figured out what caused this though, until I realized that passwords can have linefeeds as well which can cause this.
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
This still shouldn't happen though. I didn't try to reproduce this yet.
It's anyway quite difficult to get core dumps out of login processes. I'm not sure if FreeBSD lets you do that in some special way, but there are at least two things in the way:
Kernel thinks it's a setuid program, and setuid programs don't core dump.
It's chrooted to a non-writable directory.
- I could enable this:
sysctl -d kern.sugid_coredump
kern.sugid_coredump: Enable coredumping set user/group ID processes
- And add an absolute path infront of this that is world writable:
sysctl kern.corefile
kern.corefile: %N.%P.boomhauer.core
Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers?
On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote:
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
- I could enable this:
sysctl -d kern.sugid_coredump
kern.sugid_coredump: Enable coredumping set user/group ID processes
- And add an absolute path infront of this that is world writable:
sysctl kern.corefile
kern.corefile: %N.%P.boomhauer.core
Interesting. I added these to: http://dovecot.org/bugreport.html
Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers?
I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e
Timo Sirainen wrote:
On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote:
- I could enable this:
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
sysctl -d kern.sugid_coredump
kern.sugid_coredump: Enable coredumping set user/group ID processes
- And add an absolute path infront of this that is world writable:
sysctl kern.corefile
kern.corefile: %N.%P.boomhauer.core
Interesting. I added these to: http://dovecot.org/bugreport.html
Can you think of a way that I could force the issue to be reproduced so I can get away with making these changes on less servers?
I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e
Applied to my installation. Do you think the condition was it introduced around rc1, or older?
On Sun, 2008-03-09 at 23:39 -0400, Adam McDougall wrote:
Timo Sirainen wrote:
On Sun, 2008-03-09 at 11:48 -0400, Adam McDougall wrote:
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
I think this fixes it: http://hg.dovecot.org/dovecot-1.1/rev/de4881149c0e
Applied to my installation. Do you think the condition was it introduced around rc1, or older?
The potential for "PASSV had missing parameters" has been there for a long time. The login process crash was added in beta14 I think.
participants (2)
-
Adam McDougall
-
Timo Sirainen