segmentation fault in fs_list_get_path

David M. Johnson johnsond at flux.utah.edu
Sat Aug 3 21:22:34 EEST 2019


Hi,

There seems to be a straightforward bug in 
src/lib-storage/list/mailbox-list-fs.c:79.  set->index_dir is unchecked 
prior to dereferencing (unlike on line 126 in the same file, where it is 
properly checked).  This manifested on a FreeBSD server running dovecot 
2.3.6 when clients tried to retrieve mail with subscriptions like 
`~/bar/baz`.  This caused the `imap` child to crash, e.g. (slightly 
anonymized)

Core was generated by `imap: [foo w.x.y.z EXAMINE]'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000011593af4 in fs_list_get_path (_list=0x12444848, 
name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, 
path_r=0x7fffffffe150) at mailbox-list-fs.c:79
79                          *set->index_dir == '\0')
(gdb) bt
#0  0x0000000011593af4 in fs_list_get_path (_list=0x12444848, 
name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, 
path_r=0x7fffffffe150) at mailbox-list-fs.c:79
#1  0x0000000011559dd0 in mbox_list_get_path (list=0x12444848, 
name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, 
path_r=0x7fffffffe2c8) at mbox-storage.c:96
#2  0x000000001150ed0b in mailbox_list_get_path (list=0x12444848, 
name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, 
path_r=0x7fffffffe2c8) at mailbox-list.c:1387
#3  0x00000000114f8aaf in get_path_to (box=0x124da048, 
type=MAILBOX_LIST_PATH_TYPE_INDEX, internal_path=0x124da250, 
path_r=0x7fffffffe2c8) at mail-storage.c:2662
#4  0x00000000114f89e9 in mailbox_get_path_to (box=0x124da048, 
type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe2c8) at 
mail-storage.c:2678
#5  0x00000000114f928c in mailbox_create_missing_dir (box=0x124da048, 
type=MAILBOX_LIST_PATH_TYPE_INDEX) at mail-storage.c:2826
#6  0x00000000115cf049 in index_storage_mailbox_alloc_index 
(box=0x124da048) at index-storage.c:243
#7  0x00000000115cf43f in index_storage_mailbox_open (box=0x124da048, 
move_to_memory=false) at index-storage.c:297
#8  0x000000001155a715 in mbox_mailbox_open_finish (mbox=0x124da048, 
move_to_memory=false) at mbox-storage.c:413
#9  0x000000001155a94b in mbox_mailbox_open_existing (mbox=0x124da048) 
at mbox-storage.c:452
#10 0x0000000011559309 in mbox_mailbox_open (box=0x124da048) at 
mbox-storage.c:489
#11 0x00000000115a446e in mailbox_list_index_open_mailbox 
(box=0x124da048) at mailbox-list-index.c:720
#12 0x00000000114f43ed in mailbox_open_full (box=0x124da048, input=0x0) 
at mail-storage.c:1294
#13 0x00000000114f4117 in mailbox_open (box=0x124da048) at 
mail-storage.c:1350
#14 0x000000000103d788 in select_open (ctx=0x12443228, 
mailbox=0x12416810 "~/bar/baz", readonly=true) at cmd-select.c:287
#15 0x000000000103d307 in cmd_select_full (cmd=0x12443048, 
readonly=true) at cmd-select.c:415
#16 0x0000000001034afa in cmd_examine (cmd=0x12443048) at cmd-examine.c:8
#17 0x000000000104a520 in command_exec (cmd=0x12443048) at 
imap-commands.c:201
#18 0x000000000104804e in client_command_input (cmd=0x12443048) at 
imap-client.c:1164
#19 0x00000000010483cf in client_command_input (cmd=0x12443048) at 
imap-client.c:1227
#20 0x00000000010469fc in client_handle_next_command (client=0x12442848, 
remove_io_r=0x7fffffffe8c7) at imap-client.c:1269
#21 0x00000000010463c0 in client_handle_input (client=0x12442848) at 
imap-client.c:1283
#22 0x0000000001044134 in client_input (client=0x12442848) at 
imap-client.c:1329
#23 0x0000000011b6bd1c in io_loop_call_io (io=0x1244f240) at ioloop.c:703
#24 0x0000000011b6fc08 in io_loop_handler_run_internal 
(ioloop=0x1242b0a0) at ioloop-kqueue.c:160
#25 0x0000000011b6c37e in io_loop_handler_run (ioloop=0x1242b0a0) at 
ioloop.c:755
#26 0x0000000011b6c146 in io_loop_run (ioloop=0x1242b0a0) at ioloop.c:728
#27 0x0000000011a87dcb in master_service_run (service=0x12436000, 
callback=0x1060080 <client_connected>) at master-service.c:781
#28 0x000000000105f870 in main (argc=1, argv=0x7fffffffeb20) at main.c:523
(gdb) p set->index_dir
$3 = 0x0

The following one-liner fixes the immediate problem (although I didn't 
look closely to see what set->index_dir means in the context of 
MAILBOX_LIST_PATH_TYPE_INDEX):

--- src/lib-storage/list/mailbox-list-fs.c~   2019-04-30 
06:25:06.000000000 -0600
+++ src/lib-storage/list/mailbox-list-fs.c    2019-08-02 
16:23:57.254087000 -0600
@@ -76,6 +76,7 @@

         if (mailbox_list_try_get_absolute_path(_list, &name)) {
                 if (type == MAILBOX_LIST_PATH_TYPE_INDEX &&
+                   set->index_dir != NULL &&
                     *set->index_dir == '\0')
                         return 0;
                 *path_r = name;

David


More information about the dovecot mailing list