dovecot - Mar 2018 - LMTP delivery segfaults when user is over quota.

Hello!

I'm having crashes with LMTP delivery when user is over quota on the 
latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.

I see the issue has been fixed on January 17, but it doesn't seem to 
have made it into 2.3.0.1 (I compared with the source from 
https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).

https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5e56#diff-7964e00c46515956a959fa47fc86d605

I also noticed a similar construct being used on line 465 
(rcpt->rcpt.rcpt->path) that was causing the segfault on the above 
commit on line 136.

struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;

Should that also use rcpt->rcpt.path; ?

Thanks from the other side of the gulf!
Reio

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180304/314ada20/attachment.html>

On 04.03.2018 16:25, Reio Remma wrote:
> Hello!
>
> I'm having crashes with LMTP delivery when user is over quota on the 
> latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.
>
> I see the issue has been fixed on January 17, but it doesn't seem to 
> have made it into 2.3.0.1 (I compared with the source from 
> https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).
>
>
https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5e56#diff-7964e00c46515956a959fa47fc86d605
>
> I also noticed a similar construct being used on line 465 
> (rcpt->rcpt.rcpt->path) that was causing the segfault on the above 
> commit on line 136.
>
> struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;
>
> Should that also use rcpt->rcpt.path; ?
>
> Thanks from the other side of the gulf!
> Reio
>
I now managed to coax a core dump out of CentOS - here it is.

Thanks!
Reio

Reading symbols from /usr/libexec/dovecot/lmtp...Reading symbols from 
/usr/lib/debug/usr/libexec/dovecot/lmtp.debug...done.
done.
[New LWP 18733]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `dovecot/lmtp -L'.
Program terminated with signal 11, Segmentation fault.
#0? smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050 
"5.2.2", fmt=0x562468e05042 "<%s> %s") at
smtp-server-reply.c:210
210???????????? i_assert(cmd->replies_expected <= 1);
(gdb) bt full
#0? smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050 
"5.2.2", fmt=0x562468e05042 "<%s> %s") at
smtp-server-reply.c:210
 ??????? cmd = <error reading variable cmd (Cannot access memory at 
address 0x20)>
 ??????? args = {{gp_offset = 1790721792, fp_offset = 22052, 
overflow_arg_area = 0x56246abc3f14, reg_save_area = 0x56246ab70b58}}
 ??????? __func__ = "smtp_server_reply"
#1? 0x0000562468e034d7 in lmtp_local_deliver (session=0x56246abe2cd8, 
src_mail=0x56246abde0a8, rcpt=0x56246abada50, trans=0x56246abc3df8, 
cmd=0x56246ab81868, local=0x56246ab7cba0) at lmtp-local.c:621
 ??????? set_parser = <optimized out>
 ??????? line = <optimized out>
 ??????? str = 0x56246ab70068
 ??????? proxy_data = {proto = SMTP_PROXY_PROTOCOL_LMTP, source_ip = 
{family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 
times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 
0}}}, ip4 = {s_addr = 0}}},
 ????????? source_port = 0, helo = 0x56246abc3c80 "bwo.mrstuudio.ee", 
login = 0x0, ttl_plus_1 = 0, timeout_secs = 0, extra_fields = 0x0, 
extra_fields_count = 0}
 ??????? delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043}
 ??????? sets = <optimized out>
 ??????? rcpt_user = 0x56246abe30e8
 ??????? mail_set = <optimized out>
 ??????? username = <optimized out>
 ??????? rcpt_idx = 0
 ??????? smtp_set = 0x56246abcf448
 ??????? lda_set = 0x56246abcf4b8
 ??????? ns = <optimized out>
 ??????? rcpt_to = 0x56246abc3f00
 ??????? trcpt = 0x56246abc3ec0
 ??????? storage = 0x56246abe8838
 ??????? mail_error = MAIL_ERROR_NOQUOTA
 ??????? ret = <optimized out>
 ??????? client = 0x56246abaf538
 ??????? service_user = <optimized out>
 ??????? dctx = {pool = 0x56246abe2cb0, set = 0x56246abcf4b8, smtp_set = 
0x56246abcf448, session = 0x56246abe2cd8, session_time_msecs = 24, 
delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043}, dup_db 
= 0x0,
 ????????? session_id = 0x56246abadab0 "PAN2KNUNnFotSQAAinc3nQ", 
src_mail = 0x56246abde0a8, mail_from = 0x56246abc3e98, mail_params = 
{auth = 0x0, body = {type = SMTP_PARAM_MAIL_BODY_TYPE_UNSPECIFIED, ext = 
0x0}, envid = 0x0,
 ??????????? ret = SMTP_PARAM_MAIL_RET_UNSPECIFIED, size = 0, 
extra_params = {arr = {buffer = 0x0, element_size = 0}, v = 0x0, 
v_modifiable = 0x0}}, rcpt_to = 0x56246abc3f00, rcpt_params = {orcpt = 
{addr_type = 0x0,
 ????????????? addr = 0x56246abc3f00, addr_raw = 0x0}, notify = 
SMTP_PARAM_RCPT_NOTIFY_UNSPECIFIED, extra_params = {arr = {buffer = 0x0, 
element_size = 0}, v = 0x0, v_modifiable = 0x0}}, rcpt_user = 
0x56246abe30e8,
 ????????? rcpt_default_mailbox = 0x562468e05064 "INBOX", dest_mail = 
0x0, cache = 0x56246abe2df8, tempfail_error = 0x0, tried_default_save = 
true, saved_mail = false, save_dest_mail = false, mailbox_full = false, 
dsn = false}
 ??????? input = <optimized out>
 ??????? var_table = <optimized out>
 ??????? error = 0x56246abfb3a0 "Kasutaja postkast on t?is."
#2? lmtp_local_deliver_to_rcpts (session=0x56246abe2cd8, 
trans=0x56246abc3df8, cmd=0x56246ab81868, local=0x56246ab7cba0) at 
lmtp-local.c:657
 ??????? rcpt = 0x56246abada50
 ??????? first_uid = 4294967295
 ??????? src_mail = 0x56246abde0a8
 ??????? count = 1
 ??????? i = 0
 ??????? rcpts = <optimized out>
#3? lmtp_local_data (client=client at entry=0x56246abaf538, 
cmd=cmd at entry=0x56246ab81868, trans=trans at entry=0x56246abc3df8, 
input=<optimized out>) at lmtp-local.c:734
 ??????? local = 0x56246ab7cba0
 ??????? session = 0x56246abe2cd8
 ??????? old_uid = 0
#4? 0x0000562468e02123 in cmd_data_finish (trans=0x56246abc3df8, 
cmd=0x56246ab81868, client=0x56246abaf538) at commands.c:144
 ??????? state = 0x56246abaf5c0
 ??????? input_proxy = 0x0
 ??????? input_msg = 0x0
 ??????? input_local = 0x56246abd5348
 ??????? inputs = {0x0, 0x56246abcd108, 0x0}
#5? cmd_data_continue (conn_ctx=0x56246abaf538, cmd=0x56246ab81868, 
trans=0x56246abc3df8) at commands.c:190
 ??????? client = 0x56246abaf538
 ??????? state = 0x56246abaf5c0
 ??????? data_input = <optimized out>
 ??????? data = <optimized out>
 ??????? size = 1750
 ??????? ret = <optimized out>
 ??????? __func__ = "cmd_data_continue"
#6? 0x00007fc8abd7a250 in cmd_data_handle_input (cmd=0x56246ab81868) at 
smtp-server-cmd-data.c:199
 ??????? conn = 0x56246abbeae0
 ??????? callbacks = 0x562469006720 <lmtp_callbacks>
 ??????? command = 0x56246ab81868
 ??????? data_cmd = 0x56246abc3148
 ??????? ret = <optimized out>
 ??????? __func__ = "cmd_data_handle_input"
#7? 0x00007fc8abe0cdf5 in io_loop_call_io (io=0x56246abbf020) at 
ioloop.c:614
 ??????? ioloop = 0x56246ab76c30
 ??????? t_id = 2
 ??????? __func__ = "io_loop_call_io"
#8? 0x00007fc8abe0e69f in io_loop_handler_run_internal 
(ioloop=ioloop at entry=0x56246ab76c30) at ioloop-epoll.c:222
 ??????? ctx = 0x56246ab82190
 ??????? events = <optimized out>
 ??????? list = 0x56246abafd60
 ??????? io = <optimized out>
 ??????? tv = {tv_sec = 299, tv_usec = 999415}
 ??????? events_count = <optimized out>
 ??????? msecs = <optimized out>
 ??????? ret = 1
 ??????? i = 0
 ??????? call = <optimized out>
---Type <return> to continue, or q <return> to quit---
 ??????? __func__ = "io_loop_handler_run_internal"
#9? 0x00007fc8abe0cef2 in io_loop_handler_run 
(ioloop=ioloop at entry=0x56246ab76c30) at ioloop.c:666
 ??????? __func__ = "io_loop_handler_run"
#10 0x00007fc8abe0d118 in io_loop_run (ioloop=0x56246ab76c30) at 
ioloop.c:639
 ??????? __func__ = "io_loop_run"
#11 0x00007fc8abd8ace3 in master_service_run (service=0x56246ab76ac0, 
callback=callback at entry=0x562468e013d0 <client_connected>) at 
master-service.c:767
No locals.
#12 0x0000562468e011a6 in main (argc=2, argv=0x56246ab76890) at main.c:159
 ??????? set_roots = {0x7fc8ac095fa0 <smtp_submit_setting_parser_info>, 
0x7fc8ac5f6ba0 <lda_setting_parser_info>, 0x562469006560 
<lmtp_setting_parser_info>, 0x0}
 ??????? service_flags = <optimized out>
 ??????? storage_service_flags = <optimized out>
 ??????? tmp_base_dir = 0x56246ab6e040 "tp data)"
 ??????? c = <optimized out>
 ??????? error = 0x0

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180304/e5fa69a4/attachment-0001.html>

Op 3/4/2018 om 3:25 PM schreef Reio Remma:
> Hello!
>
> I'm having crashes with LMTP delivery when user is over quota on the
> latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.
>
> I see the issue has been fixed on January 17, but it doesn't seem to
> have made it into 2.3.0.1 (I compared with the source from
> https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).
That release is just about the CVEs afaik. The remaining fixes will be
in v2.3.1.
>
https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5e56#diff-7964e00c46515956a959fa47fc86d605
>
> I also noticed a similar construct being used on line 465
> (rcpt->rcpt.rcpt->path) that was causing the segfault on the above
> commit on line 136.
>
> struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;
>
> Should that also use rcpt->rcpt.path; ?
It would be a bit cleaner maybe, but at the DATA stage it will not
segfault anymore, since the recipient path is definitively put in the
transaction.

Regards,

Stephan.

Op 3/4/2018 om 4:57 PM schreef Reio Remma:
> On 04.03.2018 16:25, Reio Remma wrote:
>> Hello!
>>
>> I'm having crashes with LMTP delivery when user is over quota on
the
>> latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.
>>
>> I see the issue has been fixed on January 17, but it doesn't seem
to
>> have made it into 2.3.0.1 (I compared with the source from
>> https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).
>>
>>
https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5e56#diff-7964e00c46515956a959fa47fc86d605
>>
>> I also noticed a similar construct being used on line 465
>> (rcpt->rcpt.rcpt->path) that was causing the segfault on the
above
>> commit on line 136.
>>
>> struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;
>>
>> Should that also use rcpt->rcpt.path; ?
>>
>> Thanks from the other side of the gulf!
>> Reio
>>
>
> I now managed to coax a core dump out of CentOS - here it is.
That is this one:
https://github.com/dovecot/core/commit/c23717da4af9d3275cb45cbc67faaa8daa353ec1#diff-7964e00c46515956a959fa47fc86d605
>
> Thanks!
> Reio
>
> Reading symbols from /usr/libexec/dovecot/lmtp...Reading symbols from
> /usr/lib/debug/usr/libexec/dovecot/lmtp.debug...done.
> done.
> [New LWP 18733]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `dovecot/lmtp -L'.
> Program terminated with signal 11, Segmentation fault.
> #0? smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050
> "5.2.2", fmt=0x562468e05042 "<%s> %s") at
smtp-server-reply.c:210
> 210???????????? i_assert(cmd->replies_expected <= 1);
> (gdb) bt full
> #0? smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050
> "5.2.2", fmt=0x562468e05042 "<%s> %s") at
smtp-server-reply.c:210
> ??????? cmd = <error reading variable cmd (Cannot access memory at
> address 0x20)>
> ??????? args = {{gp_offset = 1790721792, fp_offset = 22052,
> overflow_arg_area = 0x56246abc3f14, reg_save_area = 0x56246ab70b58}}
> ??????? __func__ = "smtp_server_reply"
> #1? 0x0000562468e034d7 in lmtp_local_deliver (session=0x56246abe2cd8,
> src_mail=0x56246abde0a8, rcpt=0x56246abada50, trans=0x56246abc3df8,
> cmd=0x56246ab81868, local=0x56246ab7cba0) at lmtp-local.c:621
> ??????? set_parser = <optimized out>
> ??????? line = <optimized out>
> ??????? str = 0x56246ab70068
> ??????? proxy_data = {proto = SMTP_PROXY_PROTOCOL_LMTP, source_ip >
{family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15
> times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0,
> 0, 0}}}, ip4 = {s_addr = 0}}},
> ????????? source_port = 0, helo = 0x56246abc3c80
"bwo.mrstuudio.ee",
> login = 0x0, ttl_plus_1 = 0, timeout_secs = 0, extra_fields = 0x0,
> extra_fields_count = 0}
> ??????? delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043}
> ??????? sets = <optimized out>
> ??????? rcpt_user = 0x56246abe30e8
> ??????? mail_set = <optimized out>
> ??????? username = <optimized out>
> ??????? rcpt_idx = 0
> ??????? smtp_set = 0x56246abcf448
> ??????? lda_set = 0x56246abcf4b8
> ??????? ns = <optimized out>
> ??????? rcpt_to = 0x56246abc3f00
> ??????? trcpt = 0x56246abc3ec0
> ??????? storage = 0x56246abe8838
> ??????? mail_error = MAIL_ERROR_NOQUOTA
> ??????? ret = <optimized out>
> ??????? client = 0x56246abaf538
> ??????? service_user = <optimized out>
> ??????? dctx = {pool = 0x56246abe2cb0, set = 0x56246abcf4b8, smtp_set
> = 0x56246abcf448, session = 0x56246abe2cd8, session_time_msecs = 24,
> delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043},
> dup_db = 0x0,
> ????????? session_id = 0x56246abadab0 "PAN2KNUNnFotSQAAinc3nQ",
> src_mail = 0x56246abde0a8, mail_from = 0x56246abc3e98, mail_params >
{auth = 0x0, body = {type = SMTP_PARAM_MAIL_BODY_TYPE_UNSPECIFIED, ext
> = 0x0}, envid = 0x0,
> ??????????? ret = SMTP_PARAM_MAIL_RET_UNSPECIFIED, size = 0,
> extra_params = {arr = {buffer = 0x0, element_size = 0}, v = 0x0,
> v_modifiable = 0x0}}, rcpt_to = 0x56246abc3f00, rcpt_params = {orcpt >
{addr_type = 0x0,
> ????????????? addr = 0x56246abc3f00, addr_raw = 0x0}, notify >
SMTP_PARAM_RCPT_NOTIFY_UNSPECIFIED, extra_params = {arr = {buffer > 0x0,
element_size = 0}, v = 0x0, v_modifiable = 0x0}}, rcpt_user > 0x56246abe30e8,
> ????????? rcpt_default_mailbox = 0x562468e05064 "INBOX",
dest_mail > 0x0, cache = 0x56246abe2df8, tempfail_error = 0x0,
tried_default_save
> = true, saved_mail = false, save_dest_mail = false, mailbox_full >
false, dsn = false}
> ??????? input = <optimized out>
> ??????? var_table = <optimized out>
> ??????? error = 0x56246abfb3a0 "Kasutaja postkast on t?is."
> #2? lmtp_local_deliver_to_rcpts (session=0x56246abe2cd8,
> trans=0x56246abc3df8, cmd=0x56246ab81868, local=0x56246ab7cba0) at
> lmtp-local.c:657
> ??????? rcpt = 0x56246abada50
> ??????? first_uid = 4294967295
> ??????? src_mail = 0x56246abde0a8
> ??????? count = 1
> ??????? i = 0
> ??????? rcpts = <optimized out>
> #3? lmtp_local_data (client=client at entry=0x56246abaf538,
> cmd=cmd at entry=0x56246ab81868, trans=trans at entry=0x56246abc3df8,
> input=<optimized out>) at lmtp-local.c:734
> ??????? local = 0x56246ab7cba0
> ??????? session = 0x56246abe2cd8
> ??????? old_uid = 0
> #4? 0x0000562468e02123 in cmd_data_finish (trans=0x56246abc3df8,
> cmd=0x56246ab81868, client=0x56246abaf538) at commands.c:144
> ??????? state = 0x56246abaf5c0
> ??????? input_proxy = 0x0
> ??????? input_msg = 0x0
> ??????? input_local = 0x56246abd5348
> ??????? inputs = {0x0, 0x56246abcd108, 0x0}
> #5? cmd_data_continue (conn_ctx=0x56246abaf538, cmd=0x56246ab81868,
> trans=0x56246abc3df8) at commands.c:190
> ??????? client = 0x56246abaf538
> ??????? state = 0x56246abaf5c0
> ??????? data_input = <optimized out>
> ??????? data = <optimized out>
> ??????? size = 1750
> ??????? ret = <optimized out>
> ??????? __func__ = "cmd_data_continue"
> #6? 0x00007fc8abd7a250 in cmd_data_handle_input (cmd=0x56246ab81868)
> at smtp-server-cmd-data.c:199
> ??????? conn = 0x56246abbeae0
> ??????? callbacks = 0x562469006720 <lmtp_callbacks>
> ??????? command = 0x56246ab81868
> ??????? data_cmd = 0x56246abc3148
> ??????? ret = <optimized out>
> ??????? __func__ = "cmd_data_handle_input"
> #7? 0x00007fc8abe0cdf5 in io_loop_call_io (io=0x56246abbf020) at
> ioloop.c:614
> ??????? ioloop = 0x56246ab76c30
> ??????? t_id = 2
> ??????? __func__ = "io_loop_call_io"
> #8? 0x00007fc8abe0e69f in io_loop_handler_run_internal
> (ioloop=ioloop at entry=0x56246ab76c30) at ioloop-epoll.c:222
> ??????? ctx = 0x56246ab82190
> ??????? events = <optimized out>
> ??????? list = 0x56246abafd60
> ??????? io = <optimized out>
> ??????? tv = {tv_sec = 299, tv_usec = 999415}
> ??????? events_count = <optimized out>
> ??????? msecs = <optimized out>
> ??????? ret = 1
> ??????? i = 0
> ??????? call = <optimized out>
> ---Type <return> to continue, or q <return> to quit---
> ??????? __func__ = "io_loop_handler_run_internal"
> #9? 0x00007fc8abe0cef2 in io_loop_handler_run
> (ioloop=ioloop at entry=0x56246ab76c30) at ioloop.c:666
> ??????? __func__ = "io_loop_handler_run"
> #10 0x00007fc8abe0d118 in io_loop_run (ioloop=0x56246ab76c30) at
> ioloop.c:639
> ??????? __func__ = "io_loop_run"
> #11 0x00007fc8abd8ace3 in master_service_run (service=0x56246ab76ac0,
> callback=callback at entry=0x562468e013d0 <client_connected>) at
> master-service.c:767
> No locals.
> #12 0x0000562468e011a6 in main (argc=2, argv=0x56246ab76890) at main.c:159
> ??????? set_roots = {0x7fc8ac095fa0
<smtp_submit_setting_parser_info>,
> 0x7fc8ac5f6ba0 <lda_setting_parser_info>, 0x562469006560
> <lmtp_setting_parser_info>, 0x0}
> ??????? service_flags = <optimized out>
> ??????? storage_service_flags = <optimized out>
> ??????? tmp_base_dir = 0x56246ab6e040 "tp data)"
> ??????? c = <optimized out>
> ??????? error = 0x0
>