Segfault on LIST Command
Aki Tuomi
aki.tuomi at dovecot.fi
Mon Jan 23 10:05:03 UTC 2017
This is fixed in 2.2.27 with ddc96f7 lib-storage: Fixed error handling
in list=children checking
Aki
On 23.01.2017 12:00, Aki Tuomi wrote:
> Thank you for your report.
>
> Aki
>
> On 23.01.2017 11:56, Thorsten Hater wrote:
>> OK, I found the problem in my config. If I use an default namespace with an
>> empty
>> name, instead of "inbox" it works as expected. Here the log for this case
>>
>> Starting program: /usr/local/libexec/dovecot/imap -u ****
>> imap(****): Debug: auth input: **** home=**** uid=48 gid=48
>> quota_rule=*:bytes=1000M
>> imap(****): Debug: Added userdb setting: plugin/quota_rule=*:bytes=1000M
>> Debug: Effective uid=48, gid=48, home=****
>> Debug: Namespace : type=private, prefix=INBOX., sep=., inbox=yes,
>> hidden=no, list=children, subscriptions=yes location=maildir:~/Maildir
>> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=,
>> inbox=****/Maildir, alt=
>> Debug: Namespace inbox: type=private, prefix=, sep=, inbox=no, hidden=no,
>> list=yes, subscriptions=yes location=maildir:~/Maildir
>> Debug: maildir++: root=****/Maildir, index=, indexpvt=, control=, inbox=,
>> alt=
>> * PREAUTH [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in as ****
>> x LIST "" ""
>> * LIST (\Noselect) "." ""
>> x OK List completed (0.000 + 0.000 secs).
>>
>>
>>
>> On Mon, Jan 23, 2017 at 10:46 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>
>>> I'll try reproduce this issue, but can you, in the mean time, run this
>>> with mail_debug=yes and provide logs?
>>>
>>> Aki
>>>
>>> On 23.01.2017 11:45, Thorsten Hater wrote:
>>>> Hi,
>>>>
>>>> I did added the default location and stripped down my config to a very
>>>> basic
>>>> level, dropping all plugins and database queries, see below. The segfault
>>>> still
>>>> appears in the same location.
>>>> As I have build from source, I wonder whether you can reproduce the
>>> problem?
>>>> Thorsten
>>>>
>>>> $ doveconf -n
>>>> # 2.2.26.0 (23d1de6): /usr/local/etc/dovecot/dovecot.conf
>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>> # OS: Linux 3.18.16-intel-vm-64bit x86_64 Debian 8.6
>>>> auth_debug = yes
>>>> auth_debug_passwords = yes
>>>> auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>>> auth_verbose = yes
>>>> base_dir = /usr/local/var/run/dovecot/
>>>> default_internal_user = pop
>>>> first_valid_uid = 48
>>>> import_environment = TZ DEBUG=1
>>>> last_valid_uid = 48
>>>> login_greeting = Dovecot ready.
>>>> login_trusted_networks = ****
>>>> mail_debug = yes
>>>> mail_gid = pop
>>>> mail_location = maildir:~/Maildir
>>>> mail_plugin_dir = /usr/local/lib/dovecot/
>>>> mail_uid = pop
>>>> managesieve_notify_capability = mailto
>>>> managesieve_sieve_capability = fileinto reject envelope encoded-character
>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>> imap4flags
>>>> copy include variables body enotify environment mailbox date index ihave
>>>> duplicate mime foreverypart extracttext
>>>> namespace inbox {
>>>> inbox = yes
>>>> list = children
>>>> location = maildir:~/Maildir
>>>> prefix = INBOX.
>>>> separator = .
>>>> subscriptions = yes
>>>> type = private
>>>> }
>>>> passdb {
>>>> args = nopassword=yes
>>>> driver = static
>>>> }
>>>> protocols = imap pop3 lmtp imap pop3
>>>> ssl = no
>>>> userdb {
>>>> args = home=**** uid=pop gid=pop quota_rule=*:bytes=1000M
>>>> driver = static
>>>> }
>>>> verbose_proctitle = yes
>>>> protocol lda {
>>>> auth_socket_path = /usr/local/var/run/dovecot/auth-userdb
>>>> }
>>>>
>>>>
>>>> On Mon, Jan 23, 2017 at 10:01 AM, Thorsten Hater <
>>> thorsten.hater at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> thanks for picking this up. The location is pulled from the database,
>>> but
>>>>> is uniform
>>>>> for all users, so I could set it to maildir:~/Maildir globally. Assuming
>>>>> ~ is expanded
>>>>> later on with userdb data. So, no, there is no special intention behind
>>>>> this.
>>>>>
>>>>> Thorsten
>>>>>
>>>>> On Mon, Jan 23, 2017 at 9:37 AM, Aki Tuomi <aki.tuomi at dovecot.fi>
>>> wrote:
>>>>>> On 19.01.2017 15:56, Thorsten Hater wrote:
>>>>>>> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
>>>>>>> Backtrace below
>>>>>>>
>>>>>>> x LIST "" ""
>>>>>>>
>>>>>>> Program received signal SIGSEGV, Segmentation fault.
>>>>>>> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
>>>>>>> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
>>>>>>> (gdb) bt
>>>>>>> #0 mail_namespaces_get_root_sep (namespaces=0x0) at
>>>>>> mail-namespace.c:601
>>>>>>> #1 0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
>>>>>>> client=0x65a590) at cmd-list.c:324
>>>>>>> #2 cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at
>>> cmd-list.c:461
>>>>>>> #3 0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
>>>>>>> imap-commands.c:181
>>>>>>> #4 0x0000000000417de2 in client_command_input (cmd=cmd at entry
>>> =0x65aee0)
>>>>>> at
>>>>>>> imap-client.c:988
>>>>>>> #5 0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
>>>>>>> imap-client.c:1048
>>>>>>> #6 0x00000000004181e5 in client_handle_next_command
>>>>>>> (remove_io_r=<synthetic pointer>, client=0x65a590) at
>>> imap-client.c:1090
>>>>>>> #7 client_handle_input (client=0x65a590) at imap-client.c:1102
>>>>>>> #8 0x0000000000418692 in client_input (client=0x65a590) at
>>>>>>> imap-client.c:1149
>>>>>>> #9 0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at
>>> ioloop.c:589
>>>>>>> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
>>>>>>> (ioloop=ioloop at entry=0x63e7f0)
>>>>>>> at ioloop-epoll.c:222
>>>>>>> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry
>>>>>> =0x63e7f0)
>>>>>>> at ioloop.c:637
>>>>>>> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at
>>> ioloop.c:613
>>>>>>> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
>>>>>>> callback=callback at entry=0x423d40 <client_connected>) at
>>>>>> master-service.c:641
>>>>>>> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>>>>>>>
>>>>>>> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <
>>>>>> thorsten.hater at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Dear all,
>>>>>>>>
>>>>>>>> I experience SegFaults in the imap binary on a LIST "" "" command,
>>>>>>>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>>>>>>>> Here is an example telnet session
>>>>>>>>
>>>>>>>> $ telnet 127.0.0.1 143
>>>>>>>> Trying 127.0.0.1...
>>>>>>>> Connected to 127.0.0.1.
>>>>>>>> Escape character is '^]'.
>>>>>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>>>>>> IDLE
>>>>>>>> AUTH=PLAIN] Dovecot ready.
>>>>>>>> 01 LOGIN **** ****
>>>>>>>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
>>> ENABLE
>>>>>>>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
>>>>>> THREAD=ORDEREDSUBJECT
>>>>>>>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>>>>>>>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
>>>>>> WITHIN
>>>>>>>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>>>>>>>> 02 LIST "" ""
>>>>>>>> Connection closed by foreign host.
>>>>>>>>
>>>>>>>> In the log file
>>>>>>>>
>>>>>>>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803
>>>>>> killed
>>>>>>>> with signal 11 (core dumps disabled)
>>>>>>>>
>>>>>>>> Please find the config below.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Thorsten
>>>>>>>>
>>>>>>>> $ doveconf -n
>>>>>>>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>>>>>>>> # Pigeonhole version 0.4.16 (1dc4c73)
>>>>>>>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>>>>>>>> auth_debug = yes
>>>>>>>> auth_debug_passwords = yes
>>>>>>>> auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>>> auth_verbose = yes
>>>>>>>> base_dir = /var/run/dovecot/
>>>>>>>> default_internal_user = pop
>>>>>>>> first_valid_uid = 48
>>>>>>>> import_environment = TZ DEBUG=1
>>>>>>>> last_valid_uid = 48
>>>>>>>> login_trusted_networks = ****
>>>>>>>> mail_debug = yes
>>>>>>>> mail_gid = pop
>>>>>>>> mail_plugins = " mail_log notify zlib quota"
>>>>>>>> mail_uid = pop
>>>>>>>> managesieve_notify_capability = mailto
>>>>>>>> managesieve_sieve_capability = fileinto reject envelope
>>>>>> encoded-character
>>>>>>>> vacation subaddress comparator-i;ascii-numeric relational regex
>>>>>> imap4flags
>>>>>>>> copy include variables body enotify environment mailbox date index
>>>>>> ihave
>>>>>>>> duplicate mime foreverypart extracttext
>>>>>>>> namespace inbox {
>>>>>>>> inbox = yes
>>>>>>>> list = children
>>>>>>>> location =
>>>>>>>> mailbox Drafts {
>>>>>>>> auto = no
>>>>>>>> special_use = \Drafts
>>>>>>>> }
>>>>>>>> mailbox Sent {
>>>>>>>> auto = no
>>>>>>>> special_use = \Sent
>>>>>>>> }
>>>>>>>> mailbox Trash {
>>>>>>>> auto = no
>>>>>>>> autoexpunge = 30 days
>>>>>>>> special_use = \Trash
>>>>>>>> }
>>>>>>>> mailbox drafts {
>>>>>>>> auto = no
>>>>>>>> special_use = \Drafts
>>>>>>>> }
>>>>>>>> mailbox sent {
>>>>>>>> auto = no
>>>>>>>> special_use = \Sent
>>>>>>>> }
>>>>>>>> mailbox spamverdacht {
>>>>>>>> auto = no
>>>>>>>> autoexpunge = 30 days
>>>>>>>> special_use = \Junk
>>>>>>>> }
>>>>>>>> mailbox trash {
>>>>>>>> auto = no
>>>>>>>> autoexpunge = 30 days
>>>>>>>> special_use = \Trash
>>>>>>>> }
>>>>>>>> mailbox virenverdacht {
>>>>>>>> auto = no
>>>>>>>> autoexpunge = 30 days
>>>>>>>> special_use = \Junk
>>>>>>>> }
>>>>>>>> prefix = INBOX.
>>>>>>>> separator = .
>>>>>>>> subscriptions = yes
>>>>>>>> type = private
>>>>>>>> }
>>>>>>>> passdb {
>>>>>>>> args = nopassword=y
>>>>>>>> driver = static
>>>>>>>> }
>>>>>>>> plugin {
>>>>>>>> last_login_dict = file:~/lastlogin
>>>>>>>> mail_log_events = delete undelete expunge copy mailbox_delete
>>>>>>>> mailbox_rename
>>>>>>>> mail_log_fields = uid box msgid size
>>>>>>>> quota = maildir:User quota
>>>>>>>> quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>>>>>>>> quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>>>>>>>> quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>>>>>>>> sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>>>>>>>> sieve_dir = ~/sieve
>>>>>>>> sieve_plugins = sieve_storage_ldap
>>>>>>>> zlib_save = gz
>>>>>>>> zlib_save_level = 6
>>>>>>>> }
>>>>>>>> service imap {
>>>>>>>> executable = imap postlogin
>>>>>>>> }
>>>>>>>> service pop3 {
>>>>>>>> executable = pop3 postlogin
>>>>>>>> }
>>>>>>>> service postlogin {
>>>>>>>> executable = script-login -d rawlog
>>>>>>>> }
>>>>>>>> service quota-warning {
>>>>>>>> executable = script /bin/quota-warning.sh
>>>>>>>> }
>>>>>>>> ssl = no
>>>>>>>> userdb {
>>>>>>>> args = /etc/dovecot/userdb-ldap.conf
>>>>>>>> driver = ldap
>>>>>>>> result_failure = return-fail
>>>>>>>> result_internalfail = return-fail
>>>>>>>> result_success = continue-ok
>>>>>>>> }
>>>>>>>> userdb {
>>>>>>>> default_fields = quota_bytes=42M
>>>>>>>> driver = bdb_quota
>>>>>>>> override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>>>>>>>> result_failure = return-fail
>>>>>>>> result_internalfail = return-fail
>>>>>>>> result_success = continue-ok
>>>>>>>> }
>>>>>>>> verbose_proctitle = yes
>>>>>>>> protocol lda {
>>>>>>>> auth_socket_path = /var/run/dovecot/auth-userdb
>>>>>>>> mail_plugin_dir = /lib/dovecot/modules
>>>>>>>> mail_plugins = " mail_log notify zlib quota sieve"
>>>>>>>> }
>>>>>>>> protocol imap {
>>>>>>>> mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>>>>>>>> imap_quota"
>>>>>>>> }
>>>>>>>> protocol pop3 {
>>>>>>>> mail_plugins = " mail_log notify zlib quota last_login"
>>>>>>>> }
>>>>>>>>
>>>>>> Hi!
>>>>>>
>>>>>> We are looking into this crash.
>>>>>>
>>>>>> Are you intentionally setting inbox namespace location to empty?
>>>>>>
>>>>>> Aki
>>>>>>
More information about the dovecot
mailing list