dovecot - Jun 2012 - 2.0.19 segfault

Hi,

after the upgrade from dovecot 2.0.13 (ubuntu oneiric) to dovecot 2.0.19 
(ubuntu precise), in my logs I have a lot of these errors:

Jun 23 00:20:29 server1 dovecot: master: Error: service(imap-login): 
child 6714 killed with signal 11 (core dumps disabled)

I tested 2.0.21 and the problem is still here. The problem seems to 
appear only when the client is ms outlook, thunderbird works fine

Here is the captured trace (I hope this is enough and I don't need to 
install debug symbols for everythings):

Core was generated by `dovecot/imap-login -D'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4d01c1a031 in RC4 () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(gdb) bt full
#0  0x00007f4d01c1a031 in RC4 () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
No symbol table info available.
#1  0x0000000000000134 in ?? ()
No symbol table info available.
#2  0x00000000000000cd in ?? ()
No symbol table info available.
#3  0x00007f4d03e97470 in ?? ()
No symbol table info available.
#4  0x00007f4d01c80629 in ?? () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
No symbol table info available.
#5  0x00007f4d01f82bcf in ?? () from /lib/x86_64-linux-gnu/libssl.so.1.0.0
No symbol table info available.
#6  0x00007f4d01f79e04 in ?? () from /lib/x86_64-linux-gnu/libssl.so.1.0.0
No symbol table info available.
#7  0x00007f4d01f7a134 in ?? () from /lib/x86_64-linux-gnu/libssl.so.1.0.0
No symbol table info available.
#8  0x00007f4d027fed6f in ssl_write (proxy=0x7f4d03e7c0a0)
     at ssl-proxy-openssl.c:499
         ret = <optimized out>
#9  0x00007f4d027fee68 in plain_read (proxy=0x7f4d03e7c0a0)
     at ssl-proxy-openssl.c:308
         ret = <optimized out>
         corked = true
---Type <return> to continue, or q <return> to quit---
#10 0x00007f4d025b5c98 in io_loop_call_io (io=0x7f4d03e84b10) at 
ioloop.c:384
         ioloop = 0x7f4d03e3e680
         t_id = 2
#11 0x00007f4d025b6d27 in io_loop_handler_run (ioloop=<optimized out>)
     at ioloop-epoll.c:213
         ctx = 0x7f4d03e505a0
         events = 0x6579351d
         event = 0x7f4d03e50610
         list = 0x7f4d03e93690
         io = <optimized out>
         tv = {tv_sec = 59, tv_usec = 999832}
         msecs = <optimized out>
         ret = 1
         i = <optimized out>
         call = <optimized out>
#12 0x00007f4d025b5c28 in io_loop_run (ioloop=0x7f4d03e3e680) at 
ioloop.c:405
No locals.
#13 0x00007f4d025a3e33 in master_service_run (service=0x7f4d03e3e550,
     callback=<optimized out>) at master-service.c:481
No locals.
#14 0x00007f4d027f7cc2 in main (argc=2, argv=0x7f4d03e3e370) at main.c:371
         set_pool = 0x7f4d03e3e880
         allow_core_dumps = <optimized out>
---Type <return> to continue, or q <return> to quit---
         login_socket = 0x7f4d02800763 "login"
         c = <optimized out>
#15 0x00007f4d021d676d in __libc_start_main ()
    from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#16 0x00007f4d02c2d5a9 in _start ()
No symbol table info available.

Nicola

Il 23/06/2012 22:39, Mailing List SVR ha scritto:
> Hi,
>
> after the upgrade from dovecot 2.0.13 (ubuntu oneiric) to dovecot 
> 2.0.19 (ubuntu precise), in my logs I have a lot of these errors:
>
> Jun 23 00:20:29 server1 dovecot: master: Error: service(imap-login): 
> child 6714 killed with signal 11 (core dumps disabled)
>
> I tested 2.0.21 and the problem is still here. The problem seems to 
> appear only when the client is ms outlook, thunderbird works fine
>
> Here is the captured trace (I hope this is enough and I don't need to 
> install debug symbols for everythings):
>
> Core was generated by `dovecot/imap-login -D'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x00007f4d01c1a031 in RC4 () from 
> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
> (gdb) bt full
> #0  0x00007f4d01c1a031 in RC4 () from 
> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
> No symbol table info available.
> #1  0x0000000000000134 in ?? ()
> No symbol table info available.
> #2  0x00000000000000cd in ?? ()
> No symbol table info available.
> #3  0x00007f4d03e97470 in ?? ()
> No symbol table info available.
> #4  0x00007f4d01c80629 in ?? () from 
> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
> No symbol table info available.
> #5  0x00007f4d01f82bcf in ?? () from 
> /lib/x86_64-linux-gnu/libssl.so.1.0.0
> No symbol table info available.
> #6  0x00007f4d01f79e04 in ?? () from 
> /lib/x86_64-linux-gnu/libssl.so.1.0.0
> No symbol table info available.
> #7  0x00007f4d01f7a134 in ?? () from 
> /lib/x86_64-linux-gnu/libssl.so.1.0.0
> No symbol table info available.
> #8  0x00007f4d027fed6f in ssl_write (proxy=0x7f4d03e7c0a0)
>     at ssl-proxy-openssl.c:499
>         ret = <optimized out>
> #9  0x00007f4d027fee68 in plain_read (proxy=0x7f4d03e7c0a0)
>     at ssl-proxy-openssl.c:308
>         ret = <optimized out>
>         corked = true
> ---Type <return> to continue, or q <return> to quit---
> #10 0x00007f4d025b5c98 in io_loop_call_io (io=0x7f4d03e84b10) at 
> ioloop.c:384
>         ioloop = 0x7f4d03e3e680
>         t_id = 2
> #11 0x00007f4d025b6d27 in io_loop_handler_run (ioloop=<optimized
out>)
>     at ioloop-epoll.c:213
>         ctx = 0x7f4d03e505a0
>         events = 0x6579351d
>         event = 0x7f4d03e50610
>         list = 0x7f4d03e93690
>         io = <optimized out>
>         tv = {tv_sec = 59, tv_usec = 999832}
>         msecs = <optimized out>
>         ret = 1
>         i = <optimized out>
>         call = <optimized out>
> #12 0x00007f4d025b5c28 in io_loop_run (ioloop=0x7f4d03e3e680) at 
> ioloop.c:405
> No locals.
> #13 0x00007f4d025a3e33 in master_service_run (service=0x7f4d03e3e550,
>     callback=<optimized out>) at master-service.c:481
> No locals.
> #14 0x00007f4d027f7cc2 in main (argc=2, argv=0x7f4d03e3e370) at 
> main.c:371
>         set_pool = 0x7f4d03e3e880
>         allow_core_dumps = <optimized out>
> ---Type <return> to continue, or q <return> to quit---
>         login_socket = 0x7f4d02800763 "login"
>         c = <optimized out>
> #15 0x00007f4d021d676d in __libc_start_main ()
>    from /lib/x86_64-linux-gnu/libc.so.6
> No symbol table info available.
> #16 0x00007f4d02c2d5a9 in _start ()
> No symbol table info available.
>
> Nicola
>
Here is a more detailed trace,

Core was generated by `dovecot/imap-login -D'.
Program terminated with signal 11, Segmentation fault.
#0  RC4 () at rc4-x86_64.s:343
343    rc4-x86_64.s: File o directory non esistente.
(gdb) bt full
#0  RC4 () at rc4-x86_64.s:343
No locals.
#1  0x0000000000000134 in ?? ()
No symbol table info available.
#2  0x00000000000000cd in ?? ()
No symbol table info available.
#3  0x00007f4d03e97470 in ?? ()
No symbol table info available.
#4  0x00007f4d01c80629 in rc4_hmac_md5_cipher (ctx=<optimized out>,
     out=0x7f4d03e8d0b8 
"\314V\347\335Lc\024\205\221'?\006\177\313\326?\313\317\303c\266\360\347\364\263\242\316z\326\307\320\303?\242`\303\321?\313?\177\315\305\313?\320\307u\307\320\320\303\316?z?\307\314\303\300\316v\242\313\306\316?\321c\030T
SORT=DISPLAY\301\021\222RC\005D=R\244\237T\342\004\"\020ES 
TH\003\246AD=\247\032FS 
\351ULTIA&\315\025N8\032\341\255\364EZ\376\236\062 
CHILDREN\\\b{\250\240\255PACE U\216\331\nLUS LIST-EXTENDED I18NLEVEL=h 
CO"...,
     in=<optimized out>, len=0) at e_rc4_hmac_md5.c:163
         key = 0x1a
         rc4_off = 139968754799079
         md5_off = <optimized out>
         blocks = <optimized out>
         l = <optimized out>
         plen = <optimized out>
#5  0x00007f4d01f82bcf in tls1_enc (s=0x7f4d03e7b700, send=1) at 
t1_enc.c:828
---Type <return> to continue, or q <return> to quit---
         rec = 0x7f4d03e7bcb8
         ds = 0x7f4d03e95cf0
         l = 308
         bs = 1
         i = <optimized out>
         ii = <optimized out>
         j = <optimized out>
         k = <optimized out>
         pad = <optimized out>
         enc = 0x7f4d01f4eae0
#6  0x00007f4d01f79e04 in do_ssl3_write (s=0x7f4d03e7b700, type=23,
     buf=0x7f4d03e7c514 "A0 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR 
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES 
THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS 
LIST-EXTENDED I18NLEVEL=1 CO"..., len=292,
     create_empty_fragment=0) at s3_pkt.c:815
         p = <optimized out>
         plen = 0x7f4d03e8d0b6 ""
         i = <optimized out>
         mac_size = 0
         clear = <optimized out>
         prefix_len = <optimized out>
         eivlen = <optimized out>
         align = <optimized out>
---Type <return> to continue, or q <return> to quit---
         wr = 0x7f4d03e7bcb8
         wb = 0x7f4d03e7bc68
         sess = <optimized out>
#7  0x00007f4d01f7a134 in ssl3_write_bytes (s=0x7f4d03e7b700, type=23,
     buf_=0x7f4d03e7c514, len=<optimized out>) at s3_pkt.c:605
         buf = 0x7f4d03e7c514 "A0 OK [CAPABILITY IMAP4rev1 LITERAL+ 
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY 
THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE 
UIDPLUS LIST-EXTENDED I18NLEVEL=1 CO"...
         tot = 0
         n = 292
         nw = <optimized out>
         i = <optimized out>
#8  0x00007f4d027fed6f in ssl_write (proxy=0x7f4d03e7c0a0)
     at ssl-proxy-openssl.c:499
         ret = <optimized out>
#9  0x00007f4d027fee68 in plain_read (proxy=0x7f4d03e7c0a0)
     at ssl-proxy-openssl.c:308
         ret = <optimized out>
         corked = true
#10 0x00007f4d025b5c98 in io_loop_call_io (io=0x7f4d03e84b10) at 
ioloop.c:384
         ioloop = 0x7f4d03e3e680
         t_id = 2
#11 0x00007f4d025b6d27 in io_loop_handler_run (ioloop=<optimized out>)
---Type <return> to continue, or q <return> to quit---
     at ioloop-epoll.c:213
         ctx = 0x7f4d03e505a0
         events = 0x6579351d
         event = 0x7f4d03e50610
         list = 0x7f4d03e93690
         io = <optimized out>
         tv = {tv_sec = 59, tv_usec = 999832}
         msecs = <optimized out>
         ret = 1
         i = <optimized out>
         call = <optimized out>
#12 0x00007f4d025b5c28 in io_loop_run (ioloop=0x7f4d03e3e680) at 
ioloop.c:405
No locals.
#13 0x00007f4d025a3e33 in master_service_run (service=0x7f4d03e3e550,
     callback=<optimized out>) at master-service.c:481
No locals.
#14 0x00007f4d027f7cc2 in main (argc=2, argv=0x7f4d03e3e370) at main.c:371
         set_pool = 0x7f4d03e3e880
         allow_core_dumps = <optimized out>
         login_socket = 0x7f4d02800763 "login"
         c = <optimized out>
#15 0x00007f4d021d676d in __libc_start_main (main=0x7f4d027f7a60 <main>,
     argc=2, ubp_av=0x7fff37290a68, init=<optimized out>, 
fini=<optimized out>,
---Type <return> to continue, or q <return> to quit---
     rtld_fini=<optimized out>, stack_end=0x7fff37290a58) at 
libc-start.c:226
         result = <optimized out>
         unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 
-1085834845464457622,
                 139968735532416, 140734118824544, 0, 0, 
1085429787565592170,
                 1041548453329079914}, mask_was_saved = 0}}, priv = {pad = {
               0x0, 0x0, 0x7fff37290a80, 0x1}, data = {prev = 0x0,
               cleanup = 0x0, canceltype = 925436544}}}
         not_first_call = <optimized out>
#16 0x00007f4d02c2d5a9 in _start ()

Nicola

On Sat, 2012-06-23 at 22:39 +0200, Mailing List SVR wrote:
> after the upgrade from dovecot 2.0.13 (ubuntu oneiric) to dovecot 2.0.19 
> (ubuntu precise), in my logs I have a lot of these errors:
> 
> Jun 23 00:20:29 server1 dovecot: master: Error: service(imap-login): 
> child 6714 killed with signal 11 (core dumps disabled)
> 
> I tested 2.0.21 and the problem is still here. The problem seems to 
> appear only when the client is ms outlook, thunderbird works fine
Looks to me more like OpenSSL library bug. The only reason why it could
be Dovecot bug is if Dovecot is causing memory corruption. Could you run
imap-login via valgrind to see if this is the case?

service imap-login {
  executable = /usr/bin/valgrind -q --vgdb=no
/usr/local/libexec/dovecot/imap-login
  chroot }

Also have you changed any ssl-related settings in dovecot.conf?

Il 24/06/2012 00:05, Timo Sirainen ha scritto:
> On Sat, 2012-06-23 at 22:39 +0200, Mailing List SVR wrote:
>
>> after the upgrade from dovecot 2.0.13 (ubuntu oneiric) to dovecot
2.0.19
>> (ubuntu precise), in my logs I have a lot of these errors:
>>
>> Jun 23 00:20:29 server1 dovecot: master: Error: service(imap-login):
>> child 6714 killed with signal 11 (core dumps disabled)
>>
>> I tested 2.0.21 and the problem is still here. The problem seems to
>> appear only when the client is ms outlook, thunderbird works fine
> Looks to me more like OpenSSL library bug. The only reason why it could
> be Dovecot bug is if Dovecot is causing memory corruption. Could you run
> imap-login via valgrind to see if this is the case?
>
> service imap-login {
>    executable = /usr/bin/valgrind -q --vgdb=no
/usr/local/libexec/dovecot/imap-login
>    chroot > }
>
> Also have you changed any ssl-related settings in dovecot.conf?
>
attached my complete configuration, I hope there is a mistake in my config

I looked at the code and there was no relevant change from dovecot 
2.0.13 and dovecot 2.0.19, upgrading between ubuntu releases updated 
openssl too and this could be the problem,

however is not clear to me while imap over ssl works fine with 
thunderdird and I see the crash in the logs for customers that seems to 
use ms outlook,

Nicola
>

-------------- next part --------------
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-25-generic x86_64 Ubuntu 12.04 LTS ext4
auth_cache_size = 10 M
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_worker_max_count = 128
base_dir = /var/run/dovecot/
default_process_limit = 200
disable_plaintext_auth = no
first_valid_gid = 2000
first_valid_uid = 2000
hostname = mail.svrinformatica.it
last_valid_gid = 2000
last_valid_uid = 2000
listen = *
login_greeting = SVR ready.
mail_location = maildir:/srv/panel/mail/%d/%t/Maildir
mail_plugins = " quota trash autocreate"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  autocreate = Trash
  autocreate2 = Junk
  autocreate3 = Drafts
  autocreate4 = Sent
  autosubscribe = Trash
  autosubscribe2 = Junk
  autosubscribe3 = Drafts
  autosubscribe4 = Sent
  quota = maildir:User quota
  quota_rule = *:storage=300MB
  quota_rule2 = Trash:ignore
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  sieve = ~/.dovecot.sieve
  sieve_before = /etc/dovecot/sieve/move-spam.sieve
  sieve_dir = ~/sieve
  sieve_max_actions = 32
  sieve_max_redirects = 4
  sieve_max_script_size = 1M
  sieve_quota_max_scripts = 10
  sieve_quota_max_storage = 2M
  trash = /etc/dovecot/dovecot-trash.conf.ext
}
postmaster_address = postmaster at svrinformatica.it
protocols = imap pop3 sieve
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = vmail
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
  user = $default_internal_user
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
service quota-warning {
  executable = script
/srv/panel/django/systemcp/systemutils/mail/quota-warning.py
  unix_listener quota-warning {
    user = vmail
  }
  user = dovecot
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_cipher_list =
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lda {
  mail_plugins = " quota trash autocreate sieve"
}
protocol imap {
  imap_client_workarounds = delay-newmail
  mail_max_userip_connections = 10
  mail_plugins = " quota trash autocreate imap_quota"
}
protocol sieve {
  mail_max_userip_connections = 10
  mail_plugins = " quota trash autocreate"
  managesieve_max_compile_errors = 5
}
protocol pop3 {
  mail_max_userip_connections = 10
  mail_plugins = " quota trash autocreate"
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

On 6/23/2012 3:27 PM, Mailing List SVR wrote:
> I looked at the code and there was no relevant change from dovecot
> 2.0.13 and dovecot 2.0.19, upgrading between ubuntu releases updated
> openssl too and this could be the problem,
>
> however is not clear to me while imap over ssl works fine with
> thunderdird and I see the crash in the logs for customers that seems to
> use ms outlook,
There have been many interactions between OpenSSL (and some other SSL 
implementations) and some versions of schannel.dll (the system library 
responsible for SSL connections, used by Outlook and Internet Explorer, 
amongst other tools).

M$ has released hotfixes addressing various problems in schannel.dll in 
the past, such as: http://support.microsoft.com/kb/933430

There is a fair bit of write-up online about how to configure your SSL 
servers to avoid problematic ciphers and socket configurations that help 
you avoid tripping over most of the bugs.

For example: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#msie

Whenever SSL is involved in the transaction process, always include it 
in your debug process as SSL negotiation is non-trivial and has been 
often fraught with some peril.

=R=