Doug Henderson
2012-Feb-24 22:49 UTC
[Dovecot] v2.0.13 problems after kernel patch for CVE-2011-1083 applied on Centos 5
Greetings,
This email is both a request for assistance/help and a heads-up.
[8irgehuq] CVE-2011-1083: Algorithmic denial of service in epoll.
After ksplice automatically installed the above patch on our mail servers,
most/all IMAP/POP3 connections began experiencing time-outs trying to connect,
or extreme timeouts in the auth procedure.
dovecot: imap-login: Disconnected (no auth attempts): rip=a.a.a.a, lip=b.b.b.b,
TLS handshaking: Disconnected
dovecot: pop3-login: Disconnected (no auth attempts): rip=a.a.a.a, lip=b.b.b.b,
TLS handshaking: Disconnected
dovecot: pop3-login: Panic: epoll_ctl(add, 6) failed: Invalid argument
dovecot: pop3-login: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0
[0x3cb543baa0] -> /usr/lib64/dovecot/libdovecot.so.0 [0x3cb543baf6] ->
/usr/lib64/dovecot/libdovecot.so.0 [0x3cb543afb3] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_add+0x118) [0x3cb5447708]
-> /usr/lib64/dovecot/libdovecot.so.0(io_add+0xa5) [0x3cb5446e15] ->
/usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0x1c6)
[0x3cb54355a6] -> /usr/lib64/dovecot/libdovecot-login.so.0(main+0x136)
[0x37a000bdf6] -> /lib64/libc.so.6(__libc_start_main+0xf4) [0x3cb301d994]
-> dovecot/pop3-login(main+0x49) [0x401b99]
dovecot: master: Error: service(pop3-login): child 27603 killed with signal 6
(core not dumped - add -D parameter to service pop3-login { executable }
dovecot: master: Error: service(pop3-login): command startup failed, throttling
dovecot: imap-login: Panic: epoll_ctl(add, 6) failed: Invalid argument
dovecot: imap-login: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0
[0x3cb543baa0] -> /usr/lib64/dovecot/libdovecot.so.0 [0x3cb543baf6] ->
/usr/lib64/dovecot/libdovecot.so.0 [0x3cb543afb3] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_add+0x118) [0x3cb5447708]
-> /usr/lib64/dovecot/libdovecot.so.0(io_add+0xa5) [0x3cb5446e15] ->
/usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0x1c6)
[0x3cb54355a6] -> /usr/lib64/dovecot/libdovecot-login.so.0(main+0x136)
[0x37a000bdf6] -> /lib64/libc.so.6(__libc_start_main+0xf4) [0x3cb301d994]
-> dovecot/imap-login(main+0x39) [0x402069]
dovecot: master: Error: service(imap-login): child 27604 killed with signal 6
(core not dumped - add -D parameter to service imap-login { executable }
Once this patch was removed, everything started working again.
Is it possible that dovecot is trying to re-add already-added connections to the
polling list - which this specific 'patch' prevents?
We haven't dug deeper yet, but the error is being thrown from the method
io_loop_handle_add in ioloop-epoll.c
http://hg.dovecot.org/dovecot-2.0/file/aa8dfa085a99/src/lib/ioloop-epoll.c
Thanks
Doug
Timo Sirainen
2012-Feb-25 00:39 UTC
[Dovecot] v2.0.13 problems after kernel patch for CVE-2011-1083 applied on Centos 5
On 25.2.2012, at 0.49, Doug Henderson wrote:> [8irgehuq] CVE-2011-1083: Algorithmic denial of service in epoll. > > After ksplice automatically installed the above patch on our mail servers, most/all IMAP/POP3 connections began experiencing time-outs trying to connect, or extreme timeouts in the auth procedure.I'd guess this patch is already in new Linux kernel versions, so other people should have seen any problems caused by it?> dovecot: pop3-login: Panic: epoll_ctl(add, 6) failed: Invalid argument..> Once this patch was removed, everything started working again. > > Is it possible that dovecot is trying to re-add already-added connections to the polling list - which this specific 'patch' prevents?It shouldn't be possible .. EPOLL_CTL_ADD is done only once, EPOLL_CTL_MOD is done afterwards. And if the same fd is attempted to be added/modded twice, Dovecot should assert-crash first in ioloop_iolist_add().