Segfault on LIST Command

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jan 23 09:46:56 UTC 2017 

I'll try reproduce this issue, but can you, in the mean time, run this
with mail_debug=yes and provide logs?

Aki

On 23.01.2017 11:45, Thorsten Hater wrote:
> Hi,
>
> I did added the default location and stripped down my config to a very
> basic
> level, dropping all plugins and database queries, see below. The segfault
> still
> appears in the same location.
> As I have build from source, I wonder whether you can reproduce the problem?
>
> Thorsten
>
> $  doveconf -n
> # 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (1dc4c73)
> # OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
> auth_debug = yes
> auth_debug_passwords = yes
> auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
> auth_verbose = yes
> base_dir = /usr/local/var/run/dovecot/
> default_internal_user = pop
> first_valid_uid = 48
> import_environment = TZ DEBUG=1
> last_valid_uid = 48
> login_greeting = Dovecot ready.
> login_trusted_networks = ****
> mail_debug = yes
> mail_gid = pop
> mail_location = maildir:~/Maildir
> mail_plugin_dir = /usr/local/lib/dovecot/
> mail_uid = pop
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace inbox {
>   inbox = yes
>   list = children
>   location = maildir:~/Maildir
>   prefix = INBOX.
>   separator = .
>   subscriptions = yes
>   type = private
> }
> passdb {
>   args = nopassword=yes
>   driver = static
> }
> protocols = imap pop3 lmtp imap pop3
> ssl = no
> userdb {
>   args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
>   driver = static
> }
> verbose_proctitle = yes
> protocol lda {
>   auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
> }
>
>
> On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <thorsten.hater at gmail.com>
> wrote:
>
>> Hi,
>>
>> thanks for picking this up. The location is pulled from the database, but
>> is uniform
>> for all users, so I could set it to maildir:~/Maildir globally. Assuming
>> ~ is expanded
>> later on with userdb data. So, no, there is no special intention behind
>> this.
>>
>> Thorsten
>>
>> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>
>>>
>>> On 19.01.2017 15:56, Thorsten Hater wrote:
>>>> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
>>>> Backtrace below
>>>>
>>>> x LIST "" ""
>>>>
>>>> Program received signal SIGSEGV, Segmentation fault.
>>>> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
>>>> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
>>>> (gdb) bt
>>>> #0  mail_namespaces_get_root_sep (namespaces=0x0) at
>>> mail-namespace.c:601
>>>> #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
>>>> client=0x65a590) at cmd-list.c:324
>>>> #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461
>>>> #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
>>>> imap-commands.c:181
>>>> #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry=0x65aee0)
>>> at
>>>> imap-client.c:988
>>>> #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
>>>> imap-client.c:1048
>>>> #6  0x00000000004181e5 in client_handle_next_command
>>>> (remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090
>>>> #7  client_handle_input (client=0x65a590) at imap-client.c:1102
>>>> #8  0x0000000000418692 in client_input (client=0x65a590) at
>>>> imap-client.c:1149
>>>> #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589
>>>> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
>>>> (ioloop=ioloop at entry=0x63e7f0)
>>>> at ioloop-epoll.c:222
>>>> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
>>> =0x63e7f0)
>>>> at ioloop.c:637
>>>> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613
>>>> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
>>>> callback=callback at entry=0x423d40 <client_connected>) at
>>> master-service.c:641
>>>> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>>>>
>>>> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
>>> thorsten.hater at gmail.com>
>>>> wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> I experience SegFaults in the imap binary on a LIST "" "" command,
>>>>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>>>>> Here is an example telnet session
>>>>>
>>>>> $ telnet 127.0.0.1 143
>>>>> Trying 127.0.0.1...
>>>>> Connected to 127.0.0.1.
>>>>> Escape character is '^]'.
>>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>> IDLE
>>>>> AUTH=PLAIN] Dovecot ready.
>>>>> 01 LOGIN **** ****
>>>>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
>>> THREAD=ORDEREDSUBJECT
>>>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>>>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
>>> WITHIN
>>>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>>>>> 02 LIST "" ""
>>>>> Connection closed by foreign host.
>>>>>
>>>>> In the log file
>>>>>
>>>>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
>>> killed
>>>>> with signal 11 (core dumps disabled)
>>>>>
>>>>> Please find the config below.
>>>>>
>>>>> Best regards,
>>>>>  Thorsten
>>>>>
>>>>> $ doveconf -n
>>>>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>>>>> auth_debug = yes
>>>>> auth_debug_passwords = yes
>>>>> auth_socket_path = /var/run/dovecot/auth-userdb
>>>>> auth_verbose = yes
>>>>> base_dir = /var/run/dovecot/
>>>>> default_internal_user = pop
>>>>> first_valid_uid = 48
>>>>> import_environment = TZ DEBUG=1
>>>>> last_valid_uid = 48
>>>>> login_trusted_networks = ****
>>>>> mail_debug = yes
>>>>> mail_gid = pop
>>>>> mail_plugins = " mail_log notify zlib quota"
>>>>> mail_uid = pop
>>>>> managesieve_notify_capability = mailto
>>>>> managesieve_sieve_capability = fileinto reject envelope
>>> encoded-character
>>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>> imap4flags
>>>>> copy include variables body enotify environment mailbox date index
>>> ihave
>>>>> duplicate mime foreverypart extracttext
>>>>> namespace inbox {
>>>>>   inbox = yes
>>>>>   list = children
>>>>>   location =
>>>>>   mailbox Drafts {
>>>>>     auto = no
>>>>>     special_use = \Drafts
>>>>>   }
>>>>>   mailbox Sent {
>>>>>     auto = no
>>>>>     special_use = \Sent
>>>>>   }
>>>>>   mailbox Trash {
>>>>>     auto = no
>>>>>     autoexpunge = 30 days
>>>>>     special_use = \Trash
>>>>>   }
>>>>>   mailbox drafts {
>>>>>     auto = no
>>>>>     special_use = \Drafts
>>>>>   }
>>>>>   mailbox sent {
>>>>>     auto = no
>>>>>     special_use = \Sent
>>>>>   }
>>>>>   mailbox spamverdacht {
>>>>>     auto = no
>>>>>     autoexpunge = 30 days
>>>>>     special_use = \Junk
>>>>>   }
>>>>>   mailbox trash {
>>>>>     auto = no
>>>>>     autoexpunge = 30 days
>>>>>     special_use = \Trash
>>>>>   }
>>>>>   mailbox virenverdacht {
>>>>>     auto = no
>>>>>     autoexpunge = 30 days
>>>>>     special_use = \Junk
>>>>>   }
>>>>>   prefix = INBOX.
>>>>>   separator = .
>>>>>   subscriptions = yes
>>>>>   type = private
>>>>> }
>>>>> passdb {
>>>>>   args = nopassword=y
>>>>>   driver = static
>>>>> }
>>>>> plugin {
>>>>>   last_login_dict = file:~/lastlogin
>>>>>   mail_log_events = delete undelete expunge copy mailbox_delete
>>>>> mailbox_rename
>>>>>   mail_log_fields = uid box msgid size
>>>>>   quota = maildir:User quota
>>>>>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>>>>>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>>>>>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>>>>>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>>>>>   sieve_dir = ~/sieve
>>>>>   sieve_plugins = sieve_storage_ldap
>>>>>   zlib_save = gz
>>>>>   zlib_save_level = 6
>>>>> }
>>>>> service imap {
>>>>>   executable = imap postlogin
>>>>> }
>>>>> service pop3 {
>>>>>   executable = pop3 postlogin
>>>>> }
>>>>> service postlogin {
>>>>>   executable = script-login -d rawlog
>>>>> }
>>>>> service quota-warning {
>>>>>   executable = script /bin/quota-warning.sh
>>>>> }
>>>>> ssl = no
>>>>> userdb {
>>>>>   args = /etc/dovecot/userdb-ldap.conf
>>>>>   driver = ldap
>>>>>   result_failure = return-fail
>>>>>   result_internalfail = return-fail
>>>>>   result_success = continue-ok
>>>>> }
>>>>> userdb {
>>>>>   default_fields = quota_bytes=42M
>>>>>   driver = bdb_quota
>>>>>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>>>>>   result_failure = return-fail
>>>>>   result_internalfail = return-fail
>>>>>   result_success = continue-ok
>>>>> }
>>>>> verbose_proctitle = yes
>>>>> protocol lda {
>>>>>   auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>   mail_plugin_dir = /lib/dovecot/modules
>>>>>   mail_plugins = " mail_log notify zlib quota sieve"
>>>>> }
>>>>> protocol imap {
>>>>>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>>>>> imap_quota"
>>>>> }
>>>>> protocol pop3 {
>>>>>   mail_plugins = " mail_log notify zlib quota last_login"
>>>>> }
>>>>>
>>> Hi!
>>>
>>> We are looking into this crash.
>>>
>>> Are you intentionally setting inbox namespace location to empty?
>>>
>>> Aki
>>>
>>

More information about the dovecot mailing list