Segfault on LIST Command

Thorsten Hater thorsten.hater at gmail.com
Mon Jan 23 09:45:41 UTC 2017 

Hi,

I did added the default location and stripped down my config to a very
basic
level, dropping all plugins and database queries, see below. The segfault
still
appears in the same location.
As I have build from source, I wonder whether you can reproduce the problem?

Thorsten

$  doveconf -n
# 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (1dc4c73)
# OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
auth_debug = yes
auth_debug_passwords = yes
auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
auth_verbose = yes
base_dir = /usr/local/var/run/dovecot/
default_internal_user = pop
first_valid_uid = 48
import_environment = TZ DEBUG=1
last_valid_uid = 48
login_greeting = Dovecot ready.
login_trusted_networks = ****
mail_debug = yes
mail_gid = pop
mail_location = maildir:~/Maildir
mail_plugin_dir = /usr/local/lib/dovecot/
mail_uid = pop
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  list = children
  location = maildir:~/Maildir
  prefix = INBOX.
  separator = .
  subscriptions = yes
  type = private
}
passdb {
  args = nopassword=yes
  driver = static
}
protocols = imap pop3 lmtp imap pop3
ssl = no
userdb {
  args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
  driver = static
}
verbose_proctitle = yes
protocol lda {
  auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
}


On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <thorsten.hater at gmail.com>
wrote:

> Hi,
>
> thanks for picking this up. The location is pulled from the database, but
> is uniform
> for all users, so I could set it to maildir:~/Maildir globally. Assuming
> ~ is expanded
> later on with userdb data. So, no, there is no special intention behind
> this.
>
> Thorsten
>
> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>>
>>
>> On 19.01.2017 15:56, Thorsten Hater wrote:
>> > The Problem arises due to a NULL deref in mail_namespaces.c line 601.
>> > Backtrace below
>> >
>> > x LIST "" ""
>> >
>> > Program received signal SIGSEGV, Segmentation fault.
>> > mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
>> > 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
>> > (gdb) bt
>> > #0  mail_namespaces_get_root_sep (namespaces=0x0) at
>> mail-namespace.c:601
>> > #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
>> > client=0x65a590) at cmd-list.c:324
>> > #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461
>> > #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
>> > imap-commands.c:181
>> > #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry=0x65aee0)
>> at
>> > imap-client.c:988
>> > #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
>> > imap-client.c:1048
>> > #6  0x00000000004181e5 in client_handle_next_command
>> > (remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090
>> > #7  client_handle_input (client=0x65a590) at imap-client.c:1102
>> > #8  0x0000000000418692 in client_input (client=0x65a590) at
>> > imap-client.c:1149
>> > #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589
>> > #10 0x00007ffff762ab4a in io_loop_handler_run_internal
>> > (ioloop=ioloop at entry=0x63e7f0)
>> > at ioloop-epoll.c:222
>> > #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
>> =0x63e7f0)
>> > at ioloop.c:637
>> > #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613
>> > #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
>> > callback=callback at entry=0x423d40 <client_connected>) at
>> master-service.c:641
>> > #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>> >
>> > On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
>> thorsten.hater at gmail.com>
>> > wrote:
>> >
>> >> Dear all,
>> >>
>> >> I experience SegFaults in the imap binary on a LIST "" "" command,
>> >> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>> >> Here is an example telnet session
>> >>
>> >> $ telnet 127.0.0.1 143
>> >> Trying 127.0.0.1...
>> >> Connected to 127.0.0.1.
>> >> Escape character is '^]'.
>> >> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>> IDLE
>> >> AUTH=PLAIN] Dovecot ready.
>> >> 01 LOGIN **** ****
>> >> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>> >> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
>> THREAD=ORDEREDSUBJECT
>> >> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>> >> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
>> WITHIN
>> >> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>> >> 02 LIST "" ""
>> >> Connection closed by foreign host.
>> >>
>> >> In the log file
>> >>
>> >> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
>> killed
>> >> with signal 11 (core dumps disabled)
>> >>
>> >> Please find the config below.
>> >>
>> >> Best regards,
>> >>  Thorsten
>> >>
>> >> $ doveconf -n
>> >> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>> >> # Pigeonhole version 0.4.16 (1dc4c73)
>> >> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>> >> auth_debug = yes
>> >> auth_debug_passwords = yes
>> >> auth_socket_path = /var/run/dovecot/auth-userdb
>> >> auth_verbose = yes
>> >> base_dir = /var/run/dovecot/
>> >> default_internal_user = pop
>> >> first_valid_uid = 48
>> >> import_environment = TZ DEBUG=1
>> >> last_valid_uid = 48
>> >> login_trusted_networks = ****
>> >> mail_debug = yes
>> >> mail_gid = pop
>> >> mail_plugins = " mail_log notify zlib quota"
>> >> mail_uid = pop
>> >> managesieve_notify_capability = mailto
>> >> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character
>> >> vacation subaddress comparator-i;ascii-numeric relational regex
>> imap4flags
>> >> copy include variables body enotify environment mailbox date index
>> ihave
>> >> duplicate mime foreverypart extracttext
>> >> namespace inbox {
>> >>   inbox = yes
>> >>   list = children
>> >>   location =
>> >>   mailbox Drafts {
>> >>     auto = no
>> >>     special_use = \Drafts
>> >>   }
>> >>   mailbox Sent {
>> >>     auto = no
>> >>     special_use = \Sent
>> >>   }
>> >>   mailbox Trash {
>> >>     auto = no
>> >>     autoexpunge = 30 days
>> >>     special_use = \Trash
>> >>   }
>> >>   mailbox drafts {
>> >>     auto = no
>> >>     special_use = \Drafts
>> >>   }
>> >>   mailbox sent {
>> >>     auto = no
>> >>     special_use = \Sent
>> >>   }
>> >>   mailbox spamverdacht {
>> >>     auto = no
>> >>     autoexpunge = 30 days
>> >>     special_use = \Junk
>> >>   }
>> >>   mailbox trash {
>> >>     auto = no
>> >>     autoexpunge = 30 days
>> >>     special_use = \Trash
>> >>   }
>> >>   mailbox virenverdacht {
>> >>     auto = no
>> >>     autoexpunge = 30 days
>> >>     special_use = \Junk
>> >>   }
>> >>   prefix = INBOX.
>> >>   separator = .
>> >>   subscriptions = yes
>> >>   type = private
>> >> }
>> >> passdb {
>> >>   args = nopassword=y
>> >>   driver = static
>> >> }
>> >> plugin {
>> >>   last_login_dict = file:~/lastlogin
>> >>   mail_log_events = delete undelete expunge copy mailbox_delete
>> >> mailbox_rename
>> >>   mail_log_fields = uid box msgid size
>> >>   quota = maildir:User quota
>> >>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>> >>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>> >>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>> >>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>> >>   sieve_dir = ~/sieve
>> >>   sieve_plugins = sieve_storage_ldap
>> >>   zlib_save = gz
>> >>   zlib_save_level = 6
>> >> }
>> >> service imap {
>> >>   executable = imap postlogin
>> >> }
>> >> service pop3 {
>> >>   executable = pop3 postlogin
>> >> }
>> >> service postlogin {
>> >>   executable = script-login -d rawlog
>> >> }
>> >> service quota-warning {
>> >>   executable = script /bin/quota-warning.sh
>> >> }
>> >> ssl = no
>> >> userdb {
>> >>   args = /etc/dovecot/userdb-ldap.conf
>> >>   driver = ldap
>> >>   result_failure = return-fail
>> >>   result_internalfail = return-fail
>> >>   result_success = continue-ok
>> >> }
>> >> userdb {
>> >>   default_fields = quota_bytes=42M
>> >>   driver = bdb_quota
>> >>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>> >>   result_failure = return-fail
>> >>   result_internalfail = return-fail
>> >>   result_success = continue-ok
>> >> }
>> >> verbose_proctitle = yes
>> >> protocol lda {
>> >>   auth_socket_path = /var/run/dovecot/auth-userdb
>> >>   mail_plugin_dir = /lib/dovecot/modules
>> >>   mail_plugins = " mail_log notify zlib quota sieve"
>> >> }
>> >> protocol imap {
>> >>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>> >> imap_quota"
>> >> }
>> >> protocol pop3 {
>> >>   mail_plugins = " mail_log notify zlib quota last_login"
>> >> }
>> >>
>>
>> Hi!
>>
>> We are looking into this crash.
>>
>> Are you intentionally setting inbox namespace location to empty?
>>
>> Aki
>>
>
>

More information about the dovecot mailing list