segmentation fault in fs_list_get_path
David M. Johnson
johnsond at flux.utah.edu
Sat Aug 3 21:22:34 EEST 2019
Hi,
There seems to be a straightforward bug in
src/lib-storage/list/mailbox-list-fs.c:79. set->index_dir is unchecked
prior to dereferencing (unlike on line 126 in the same file, where it is
properly checked). This manifested on a FreeBSD server running dovecot
2.3.6 when clients tried to retrieve mail with subscriptions like
`~/bar/baz`. This caused the `imap` child to crash, e.g. (slightly
anonymized)
Core was generated by `imap: [foo w.x.y.z EXAMINE]'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000011593af4 in fs_list_get_path (_list=0x12444848,
name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX,
path_r=0x7fffffffe150) at mailbox-list-fs.c:79
79 *set->index_dir == '\0')
(gdb) bt
#0 0x0000000011593af4 in fs_list_get_path (_list=0x12444848,
name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX,
path_r=0x7fffffffe150) at mailbox-list-fs.c:79
#1 0x0000000011559dd0 in mbox_list_get_path (list=0x12444848,
name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX,
path_r=0x7fffffffe2c8) at mbox-storage.c:96
#2 0x000000001150ed0b in mailbox_list_get_path (list=0x12444848,
name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX,
path_r=0x7fffffffe2c8) at mailbox-list.c:1387
#3 0x00000000114f8aaf in get_path_to (box=0x124da048,
type=MAILBOX_LIST_PATH_TYPE_INDEX, internal_path=0x124da250,
path_r=0x7fffffffe2c8) at mail-storage.c:2662
#4 0x00000000114f89e9 in mailbox_get_path_to (box=0x124da048,
type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe2c8) at
mail-storage.c:2678
#5 0x00000000114f928c in mailbox_create_missing_dir (box=0x124da048,
type=MAILBOX_LIST_PATH_TYPE_INDEX) at mail-storage.c:2826
#6 0x00000000115cf049 in index_storage_mailbox_alloc_index
(box=0x124da048) at index-storage.c:243
#7 0x00000000115cf43f in index_storage_mailbox_open (box=0x124da048,
move_to_memory=false) at index-storage.c:297
#8 0x000000001155a715 in mbox_mailbox_open_finish (mbox=0x124da048,
move_to_memory=false) at mbox-storage.c:413
#9 0x000000001155a94b in mbox_mailbox_open_existing (mbox=0x124da048)
at mbox-storage.c:452
#10 0x0000000011559309 in mbox_mailbox_open (box=0x124da048) at
mbox-storage.c:489
#11 0x00000000115a446e in mailbox_list_index_open_mailbox
(box=0x124da048) at mailbox-list-index.c:720
#12 0x00000000114f43ed in mailbox_open_full (box=0x124da048, input=0x0)
at mail-storage.c:1294
#13 0x00000000114f4117 in mailbox_open (box=0x124da048) at
mail-storage.c:1350
#14 0x000000000103d788 in select_open (ctx=0x12443228,
mailbox=0x12416810 "~/bar/baz", readonly=true) at cmd-select.c:287
#15 0x000000000103d307 in cmd_select_full (cmd=0x12443048,
readonly=true) at cmd-select.c:415
#16 0x0000000001034afa in cmd_examine (cmd=0x12443048) at cmd-examine.c:8
#17 0x000000000104a520 in command_exec (cmd=0x12443048) at
imap-commands.c:201
#18 0x000000000104804e in client_command_input (cmd=0x12443048) at
imap-client.c:1164
#19 0x00000000010483cf in client_command_input (cmd=0x12443048) at
imap-client.c:1227
#20 0x00000000010469fc in client_handle_next_command (client=0x12442848,
remove_io_r=0x7fffffffe8c7) at imap-client.c:1269
#21 0x00000000010463c0 in client_handle_input (client=0x12442848) at
imap-client.c:1283
#22 0x0000000001044134 in client_input (client=0x12442848) at
imap-client.c:1329
#23 0x0000000011b6bd1c in io_loop_call_io (io=0x1244f240) at ioloop.c:703
#24 0x0000000011b6fc08 in io_loop_handler_run_internal
(ioloop=0x1242b0a0) at ioloop-kqueue.c:160
#25 0x0000000011b6c37e in io_loop_handler_run (ioloop=0x1242b0a0) at
ioloop.c:755
#26 0x0000000011b6c146 in io_loop_run (ioloop=0x1242b0a0) at ioloop.c:728
#27 0x0000000011a87dcb in master_service_run (service=0x12436000,
callback=0x1060080 <client_connected>) at master-service.c:781
#28 0x000000000105f870 in main (argc=1, argv=0x7fffffffeb20) at main.c:523
(gdb) p set->index_dir
$3 = 0x0
The following one-liner fixes the immediate problem (although I didn't
look closely to see what set->index_dir means in the context of
MAILBOX_LIST_PATH_TYPE_INDEX):
--- src/lib-storage/list/mailbox-list-fs.c~ 2019-04-30
06:25:06.000000000 -0600
+++ src/lib-storage/list/mailbox-list-fs.c 2019-08-02
16:23:57.254087000 -0600
@@ -76,6 +76,7 @@
if (mailbox_list_try_get_absolute_path(_list, &name)) {
if (type == MAILBOX_LIST_PATH_TYPE_INDEX &&
+ set->index_dir != NULL &&
*set->index_dir == '\0')
return 0;
*path_r = name;
David
More information about the dovecot
mailing list