[exim-dev] [Bug 1708] New: Segfault on lsearch lookup

Top Page
This message is part of the following thread:
M+++++++++++++\the complete thread tree sorted by date
MMMMMMMMMMMMMMM 
admin at ->
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1708] New: Segfault on lsearch lookup
https://bugs.exim.org/show_bug.cgi?id=1708 

            Bug ID: 1708
           Summary: Segfault on lsearch lookup
           Product: Exim
           Version: 4.86
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Lookups
          Assignee: nigel@???
          Reporter: eximusers@???
                CC: exim-dev@???


Hello,

this is https://bugs.debian.org/803255:
------------------------------------------------
After upgrading from exim4 4.86-3 to 4.86-4, I observe a segfault when
/etc/email-addresses is looked up by sendmail/exim and an entry with a
rewriting rule is found. These mails don't get sent.

Commenting out the corresponding line in /etc/email-addresses fixes the
problem.

I am seeing this segfault on armel, but not on amd64.

# cat /etc/email-addresses
# This is /etc/email-addresses. It is part of the exim package
#
# This file contains email addresses to use for outgoing mail. Any local
# part not in here will be qualified by the system domain as normal.
#
# It should contain lines of the form:
#
#user: someone@???
#otheruser: someoneelse@???
sleveque: sylvain@???
monit@donkeykong: sylvain@???
root: sylvain@???

# echo "Subject: test" | /usr/lib/sendmail -v sylvain@???
Segmentation fault 

# echo "Subject: test" | strace /usr/lib/sendmail -v sylvain@???
[snip]
rt_sigaction(SIGTERM, {0xb6ec3b4c, [TERM], SA_RESTORER|SA_RESTART, 0xb68accf0},
{SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGINT, {0xb6ec3b4c, [INT], SA_RESTORER|SA_RESTART, 0xb68accf0},
{SIG_DFL, [], 0}, 8) = 0
fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb6e58000
read(0, "Subject: test\n", 4096)        = 14
read(0, "", 4096)                       = 0
open("/etc/email-addresses", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=400, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=400, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb6e57000
_llseek(4, 0, [0], SEEK_SET)            = 0
read(4, "# This is /etc/email-addresses. "..., 4096) = 400
read(4, "", 4096)                       = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xc8b80b28} ---
+++ killed by SIGSEGV +++
Segmentation fault


# cat /etc/email-addresses
# This is /etc/email-addresses. It is part of the exim package
#
# This file contains email addresses to use for outgoing mail. Any local
# part not in here will be qualified by the system domain as normal.
#
# It should contain lines of the form:
#
#user: someone@???
#otheruser: someoneelse@???
sleveque: sylvain@???
monit@donkeykong: sylvain@???
#root: sylvain@???

# echo "Subject: test" | /usr/lib/sendmail -v sylvain@???
LOG: MAIN
<= root@??? U=root P=local S=358
donkeykong:~# delivering 1ZrPx0-0002Kr-GX
R: smarthost for sylvain@???
T: remote_smtp_smarthost for sylvain@???
Connecting to XXXXXXXXXXXXXXX:25 ... connected
SMTP<< 220 XXXXXXXXXXXXXXXX ESMTP Postfix
SMTP>> EHLO donkeykong.gromi.net
  SMTP<< 250-XXXXXXXXXXXXXXXX
         250-PIPELINING
         250-SIZE 35000000
         250-VRFY
         250-ETRN
         250-STARTTLS
         250-ENHANCEDSTATUSCODES
         250-8BITMIME
         250 DSN

SMTP>> STARTTLS
SMTP<< 220 2.0.0 Ready to start TLS
SMTP>> EHLO donkeykong.gromi.net
  SMTP<< 250-XXXXXXXXXXXXXXXX
         250-PIPELINING
         250-SIZE 35000000
         250-VRFY
         250-ETRN
         250-ENHANCEDSTATUSCODES
         250-8BITMIME
         250 DSN

SMTP>> MAIL FROM:<root@???> SIZE=1390
SMTP>> RCPT TO:<sylvain@???>
SMTP>> DATA
SMTP<< 250 2.1.0 Ok
SMTP<< 250 2.1.5 Ok
SMTP<< 354 End data with <CR><LF>.<CR><LF>
SMTP>> writing message and terminating "."
SMTP<< 250 2.0.0 Ok: queued as 8F372D480B3
SMTP>> QUIT
LOG: MAIN
=> sylvain@??? R=smarthost T=remote_smtp_smarthost H=XXXXXXXXXXXXX
[XXXXXXXXXX] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no
DN="OU=GT42558204,OU=See www.rapidssl.com/resources/cps (c)15,OU=Domain Control
Validated - RapidSSL(R),CN=XXXXXXXX" C="250 2.0.0 Ok: queued as 8F372D480B3"
LOG: MAIN
Completed

> Could you provide a backtrace, please?

There you go:
(gdb) run -v sylvain@??? < /tmp/echo_subject
Starting program: /usr/sbin/sendmail -v sylvain@??? < /tmp/echo_subject
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabi/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xb6998af4 in strlen () from /lib/arm-linux-gnueabi/libc.so.6
(gdb) bt
#0 0xb6998af4 in strlen () from /lib/arm-linux-gnueabi/libc.so.6
#1 0xb6f850d4 in string_copy (s=0xc8b7b9ba <error: Cannot access
memory at address 0xc8b7b9ba>) at string.c:421
#2 0xb6f70068 in internal_search_find
(handle=handle@entry=0xb7b9ba88, filename=filename@entry=0xffffffff
<error: Cannot access memory at address 0xffffffff>,
keystring=keystring@entry=0xb7b9a298 "root") at search.c:575
#3 0xb6f70d30 in search_find (handle=0xb7b9ba88, filename=0xffffffff
<error: Cannot access memory at address 0xffffffff>,
filename@entry=0xb7b9a2a0 "/etc/email-addresses", keystring=0xb7b9a298
"root", keystring@entry=0xb7002164 <lookup_value> "",
partial=-1212616729, affix=0x0, affixlen=-1225547364, starflags=0,
expand_setup=expand_setup@entry=0xbe7e0a24) at search.c:671
#4 0xb6f3a19c in expand_string_internal (string=<optimized out>,
ket_ends=ket_ends@entry=0, left=left@entry=0x0,
skipping=skipping@entry=0, honour_dollar=honour_dollar@entry=1,
resetok_p=resetok_p@entry=0x0) at expand.c:4270
#5 0xb6f36df4 in expand_cstring (string=<optimized out>) at expand.c:7171
#6 0xb6f6b854 in rewrite_one (s=s@entry=0xb7b9a168 "root", flag=2,
flag@entry=-1224756988, whole=0x0, whole@entry=0xbe7e1938,
add_header=add_header@entry=0, name=name@entry=0x0,
rewrite_rules=0xb7b98210, rewrite_rules@entry=0xb6fd7d00) at
rewrite.c:192
#7 0xb6f6c37c in rewrite_one_header (h=0xb700234c <debug_selector>,
flag=-1224756988, flag@entry=2, routed_old=routed_old@entry=0x0,
routed_new=0xb6fd234c "NULL", routed_new@entry=0x0,
rewrite_rules=0xb7b98210, existflags=99, existflags@entry=-1212572792,
replace=1, replace@entry=-1225369456) at rewrite.c:562
#8 0xb6f6c67c in rewrite_header (h=h@entry=0xb7b9a008,
routed_old=routed_old@entry=0x0, routed_new=routed_new@entry=0x0,
rewrite_rules=<optimized out>, existflags=99, replace=replace@entry=1)
at rewrite.c:733
#9 0xb6f65890 in receive_msg (extract_recip=0) at receive.c:2769
#10 0xb6f14be8 in main (argc=<optimized out>, cargv=<optimized out>)
at exim.c:5466
(gdb)
------------------------------------------------

Debian's now tracks exim-4_86+fixes, 4.86-3 differs from 4.86-4 by the addition
of these patches from exim-4_86+fixes:
4d3b8805796ffa39889060d9f216bfaf7391c542 DNS: time-limit cached returns, using
TTL.
c4dcf906ceb3a45c6b30f76476d73ca836b262cd Retry: always use interface, if set,
for retry DB key.

cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 1563] RFE: Support for binary data returned from transport_filter[exim-dev] [Bug 1708] Segfault on lsearch lookup->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)