Segfault on LIST Command

Thorsten Hater thorsten.hater at gmail.com
Mon Jan 23 09:56:52 UTC 2017 

OK, I found the problem in my config. If I use an default namespace with an
empty
name, instead of "inbox" it works as expected. Here the log for this case

Starting program: /usr/local/libexec/dovecot/imap -u ****
imap(****): Debug: auth input: **** home=**** uid=48 gid=48
quota_rule=*:bytes=1000M
imap(****): Debug: Added userdb setting: plugin/quota_rule=*:bytes=1000M
Debug: Effective uid=48, gid=48, home=****
Debug: Namespace : type=private, prefix=INBOX., sep=., inbox=yes,
hidden=no, list=children, subscriptions=yes location=maildir:~/Maildir
Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=,
inbox=****/Maildir, alt=
Debug: Namespace inbox: type=private, prefix=, sep=, inbox=no, hidden=no,
list=yes, subscriptions=yes location=maildir:~/Maildir
Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=, inbox=,
alt=
* PREAUTH [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in as ****
x LIST "" ""
* LIST (\Noselect) "." ""
x OK List completed (0.000 + 0.000 secs).



On Mon, Jan 23, 2017 at 10:46 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:

> I'll try reproduce this issue, but can you, in the mean time, run this
> with mail_debug=yes and provide logs?
>
> Aki
>
> On 23.01.2017 11:45, Thorsten Hater wrote:
> > Hi,
> >
> > I did added the default location and stripped down my config to a very
> > basic
> > level, dropping all plugins and database queries, see below. The segfault
> > still
> > appears in the same location.
> > As I have build from source, I wonder whether you can reproduce the
> problem?
> >
> > Thorsten
> >
> > $  doveconf -n
> > # 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
> > # Pigeonhole version 0.4.16 (1dc4c73)
> > # OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
> > auth_debug = yes
> > auth_debug_passwords = yes
> > auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
> > auth_verbose = yes
> > base_dir = /usr/local/var/run/dovecot/
> > default_internal_user = pop
> > first_valid_uid = 48
> > import_environment = TZ DEBUG=1
> > last_valid_uid = 48
> > login_greeting = Dovecot ready.
> > login_trusted_networks = ****
> > mail_debug = yes
> > mail_gid = pop
> > mail_location = maildir:~/Maildir
> > mail_plugin_dir = /usr/local/lib/dovecot/
> > mail_uid = pop
> > managesieve_notify_capability = mailto
> > managesieve_sieve_capability = fileinto reject envelope encoded-character
> > vacation subaddress comparator-i;ascii-numeric relational regex
> imap4flags
> > copy include variables body enotify environment mailbox date index ihave
> > duplicate mime foreverypart extracttext
> > namespace inbox {
> >   inbox = yes
> >   list = children
> >   location = maildir:~/Maildir
> >   prefix = INBOX.
> >   separator = .
> >   subscriptions = yes
> >   type = private
> > }
> > passdb {
> >   args = nopassword=yes
> >   driver = static
> > }
> > protocols = imap pop3 lmtp imap pop3
> > ssl = no
> > userdb {
> >   args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
> >   driver = static
> > }
> > verbose_proctitle = yes
> > protocol lda {
> >   auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
> > }
> >
> >
> > On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <
> thorsten.hater at gmail.com>
> > wrote:
> >
> >> Hi,
> >>
> >> thanks for picking this up. The location is pulled from the database,
> but
> >> is uniform
> >> for all users, so I could set it to maildir:~/Maildir globally. Assuming
> >> ~ is expanded
> >> later on with userdb data. So, no, there is no special intention behind
> >> this.
> >>
> >> Thorsten
> >>
> >> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi>
> wrote:
> >>
> >>>
> >>> On 19.01.2017 15:56, Thorsten Hater wrote:
> >>>> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
> >>>> Backtrace below
> >>>>
> >>>> x LIST "" ""
> >>>>
> >>>> Program received signal SIGSEGV, Segmentation fault.
> >>>> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
> >>>> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
> >>>> (gdb) bt
> >>>> #0  mail_namespaces_get_root_sep (namespaces=0x0) at
> >>> mail-namespace.c:601
> >>>> #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
> >>>> client=0x65a590) at cmd-list.c:324
> >>>> #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at
> cmd-list.c:461
> >>>> #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
> >>>> imap-commands.c:181
> >>>> #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry
> =0x65aee0)
> >>> at
> >>>> imap-client.c:988
> >>>> #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
> >>>> imap-client.c:1048
> >>>> #6  0x00000000004181e5 in client_handle_next_command
> >>>> (remove_io_r=<synthetic pointer>, client=0x65a590) at
> imap-client.c:1090
> >>>> #7  client_handle_input (client=0x65a590) at imap-client.c:1102
> >>>> #8  0x0000000000418692 in client_input (client=0x65a590) at
> >>>> imap-client.c:1149
> >>>> #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at
> ioloop.c:589
> >>>> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
> >>>> (ioloop=ioloop at entry=0x63e7f0)
> >>>> at ioloop-epoll.c:222
> >>>> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
> >>> =0x63e7f0)
> >>>> at ioloop.c:637
> >>>> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at
> ioloop.c:613
> >>>> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
> >>>> callback=callback at entry=0x423d40 <client_connected>) at
> >>> master-service.c:641
> >>>> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
> >>>>
> >>>> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
> >>> thorsten.hater at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Dear all,
> >>>>>
> >>>>> I experience SegFaults in the imap binary on a LIST "" "" command,
> >>>>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
> >>>>> Here is an example telnet session
> >>>>>
> >>>>> $ telnet 127.0.0.1 143
> >>>>> Trying 127.0.0.1...
> >>>>> Connected to 127.0.0.1.
> >>>>> Escape character is '^]'.
> >>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> >>> IDLE
> >>>>> AUTH=PLAIN] Dovecot ready.
> >>>>> 01 LOGIN **** ****
> >>>>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
> ENABLE
> >>>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
> >>> THREAD=ORDEREDSUBJECT
> >>>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
> >>>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
> >>> WITHIN
> >>>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
> >>>>> 02 LIST "" ""
> >>>>> Connection closed by foreign host.
> >>>>>
> >>>>> In the log file
> >>>>>
> >>>>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
> >>> killed
> >>>>> with signal 11 (core dumps disabled)
> >>>>>
> >>>>> Please find the config below.
> >>>>>
> >>>>> Best regards,
> >>>>>  Thorsten
> >>>>>
> >>>>> $ doveconf -n
> >>>>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
> >>>>> # Pigeonhole version 0.4.16 (1dc4c73)
> >>>>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
> >>>>> auth_debug = yes
> >>>>> auth_debug_passwords = yes
> >>>>> auth_socket_path = /var/run/dovecot/auth-userdb
> >>>>> auth_verbose = yes
> >>>>> base_dir = /var/run/dovecot/
> >>>>> default_internal_user = pop
> >>>>> first_valid_uid = 48
> >>>>> import_environment = TZ DEBUG=1
> >>>>> last_valid_uid = 48
> >>>>> login_trusted_networks = ****
> >>>>> mail_debug = yes
> >>>>> mail_gid = pop
> >>>>> mail_plugins = " mail_log notify zlib quota"
> >>>>> mail_uid = pop
> >>>>> managesieve_notify_capability = mailto
> >>>>> managesieve_sieve_capability = fileinto reject envelope
> >>> encoded-character
> >>>>> vacation subaddress comparator-i;ascii-numeric relational regex
> >>> imap4flags
> >>>>> copy include variables body enotify environment mailbox date index
> >>> ihave
> >>>>> duplicate mime foreverypart extracttext
> >>>>> namespace inbox {
> >>>>>   inbox = yes
> >>>>>   list = children
> >>>>>   location =
> >>>>>   mailbox Drafts {
> >>>>>     auto = no
> >>>>>     special_use = \Drafts
> >>>>>   }
> >>>>>   mailbox Sent {
> >>>>>     auto = no
> >>>>>     special_use = \Sent
> >>>>>   }
> >>>>>   mailbox Trash {
> >>>>>     auto = no
> >>>>>     autoexpunge = 30 days
> >>>>>     special_use = \Trash
> >>>>>   }
> >>>>>   mailbox drafts {
> >>>>>     auto = no
> >>>>>     special_use = \Drafts
> >>>>>   }
> >>>>>   mailbox sent {
> >>>>>     auto = no
> >>>>>     special_use = \Sent
> >>>>>   }
> >>>>>   mailbox spamverdacht {
> >>>>>     auto = no
> >>>>>     autoexpunge = 30 days
> >>>>>     special_use = \Junk
> >>>>>   }
> >>>>>   mailbox trash {
> >>>>>     auto = no
> >>>>>     autoexpunge = 30 days
> >>>>>     special_use = \Trash
> >>>>>   }
> >>>>>   mailbox virenverdacht {
> >>>>>     auto = no
> >>>>>     autoexpunge = 30 days
> >>>>>     special_use = \Junk
> >>>>>   }
> >>>>>   prefix = INBOX.
> >>>>>   separator = .
> >>>>>   subscriptions = yes
> >>>>>   type = private
> >>>>> }
> >>>>> passdb {
> >>>>>   args = nopassword=y
> >>>>>   driver = static
> >>>>> }
> >>>>> plugin {
> >>>>>   last_login_dict = file:~/lastlogin
> >>>>>   mail_log_events = delete undelete expunge copy mailbox_delete
> >>>>> mailbox_rename
> >>>>>   mail_log_fields = uid box msgid size
> >>>>>   quota = maildir:User quota
> >>>>>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
> >>>>>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
> >>>>>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
> >>>>>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
> >>>>>   sieve_dir = ~/sieve
> >>>>>   sieve_plugins = sieve_storage_ldap
> >>>>>   zlib_save = gz
> >>>>>   zlib_save_level = 6
> >>>>> }
> >>>>> service imap {
> >>>>>   executable = imap postlogin
> >>>>> }
> >>>>> service pop3 {
> >>>>>   executable = pop3 postlogin
> >>>>> }
> >>>>> service postlogin {
> >>>>>   executable = script-login -d rawlog
> >>>>> }
> >>>>> service quota-warning {
> >>>>>   executable = script /bin/quota-warning.sh
> >>>>> }
> >>>>> ssl = no
> >>>>> userdb {
> >>>>>   args = /etc/dovecot/userdb-ldap.conf
> >>>>>   driver = ldap
> >>>>>   result_failure = return-fail
> >>>>>   result_internalfail = return-fail
> >>>>>   result_success = continue-ok
> >>>>> }
> >>>>> userdb {
> >>>>>   default_fields = quota_bytes=42M
> >>>>>   driver = bdb_quota
> >>>>>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
> >>>>>   result_failure = return-fail
> >>>>>   result_internalfail = return-fail
> >>>>>   result_success = continue-ok
> >>>>> }
> >>>>> verbose_proctitle = yes
> >>>>> protocol lda {
> >>>>>   auth_socket_path = /var/run/dovecot/auth-userdb
> >>>>>   mail_plugin_dir = /lib/dovecot/modules
> >>>>>   mail_plugins = " mail_log notify zlib quota sieve"
> >>>>> }
> >>>>> protocol imap {
> >>>>>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
> >>>>> imap_quota"
> >>>>> }
> >>>>> protocol pop3 {
> >>>>>   mail_plugins = " mail_log notify zlib quota last_login"
> >>>>> }
> >>>>>
> >>> Hi!
> >>>
> >>> We are looking into this crash.
> >>>
> >>> Are you intentionally setting inbox namespace location to empty?
> >>>
> >>> Aki
> >>>
> >>
>

More information about the dovecot mailing list