[exim-dev] [Bug 1870] New: Use of ${run} in router condition…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1870] Use of ${run} in router conditions causes intermittent crash
Subject: [exim-dev] [Bug 1870] New: Use of ${run} in router conditions causes intermittent crash
https://bugs.exim.org/show_bug.cgi?id=1870

            Bug ID: 1870
           Summary: Use of ${run} in router conditions causes intermittent
                    crash
           Product: Exim
           Version: 4.84
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Routing
          Assignee: nigel@???
          Reporter: steve@???
                CC: exim-dev@???


Define a router with a condition like:
    condition = ${run{/usr/sbin/example}}
or:
    condition = ${if ! eq{}{${run{/usr/sbin/example}}}}


If /usr/sbin/example returns nothing on stdout, exim often crashes, resulting
in errors such as "queue run: process Foo crashed with signal 6 while
delivering Bar". The process in question ("exim -q" or "exim -M <msgid>")
actually crashes with a glibc "double free or corruption" error. Specifying
-d+all seems to make the bug go away.

This problem seems to have appeared since Exim 4.72 and my testing has been on
Scientific Linux 6.

At the very least this could lead to a denial of service attack if an attacker
can make /usr/sbin/example return nothing. Valgrind shows a number of
warnings:

==5272== Invalid read of size 1
==5272==    at 0x4C29F92: strlen (mc_replace_strmem.c:403)
==5272==    by 0x161B04: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 1
==5272==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
==5272==    by 0x161B04: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e541 is 5,345 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 2
==5272==    at 0x4C2AC80: memcpy (mc_replace_strmem.c:882)
==5272==    by 0x1A1739: string_cat (string3.h:52)
==5272==    by 0x161B1C: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 1
==5272==    at 0x4C2ACB8: memcpy (mc_replace_strmem.c:882)
==5272==    by 0x1A1739: string_cat (string3.h:52)
==5272==    by 0x161B1C: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e542 is 5,346 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 1
==5272==    at 0x4C29F92: strlen (mc_replace_strmem.c:403)
==5272==    by 0x15A78E: expand_string_internal (expand.c:6746)
==5272==    by 0x161B48: process_yesno (expand.c:3125)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 1
==5272==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
==5272==    by 0x15A78E: expand_string_internal (expand.c:6746)
==5272==    by 0x161B48: process_yesno (expand.c:3125)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e541 is 5,345 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 2
==5272==    at 0x4C2AC80: memcpy (mc_replace_strmem.c:882)
==5272==    by 0x1A1739: string_cat (string3.h:52)
==5272==    by 0x15A7C0: expand_string_internal (expand.c:6753)
==5272==    by 0x161B48: process_yesno (expand.c:3125)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid read of size 1
==5272==    at 0x4C2ACB8: memcpy (mc_replace_strmem.c:882)
==5272==    by 0x1A1739: string_cat (string3.h:52)
==5272==    by 0x15A7C0: expand_string_internal (expand.c:6753)
==5272==    by 0x161B48: process_yesno (expand.c:3125)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa58e542 is 5,346 bytes inside a block of size 8,208 alloc'd
==5272==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272==    by 0x19F7DF: store_malloc_3 (store.c:495)
==5272==    by 0x19FB4C: store_get_3 (store.c:169)
==5272==    by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272==    by 0x145E2D: deliver_message (deliver.c:4827)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Conditional jump or move depends on uninitialised value(s)
==5272==    at 0x4C29F99: strlen (mc_replace_strmem.c:403)
==5272==    by 0x161B04: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Conditional jump or move depends on uninitialised value(s)
==5272==    at 0x4C29FA8: strlen (mc_replace_strmem.c:403)
==5272==    by 0x161B04: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Source and destination overlap in memcpy(0xa58edf0, 0xa58ee10, 56)
==5272==    at 0x4C2ABCE: memcpy (mc_replace_strmem.c:882)
==5272==    by 0x1A1739: string_cat (string3.h:52)
==5272==    by 0x161B1C: process_yesno (expand.c:3109)
==5272==    by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272== 
==5272== Invalid write of size 1
==5272==    at 0x157C11: cat_file (expand.c:3399)
==5272==    by 0x15DDC7: expand_string_internal (expand.c:4815)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)
==5272==  Address 0xa6941a8 is 568 bytes inside a block of size 8,208 free'd
==5272==    at 0x4C28430: free (vg_replace_malloc.c:446)
==5272==    by 0x19FEB2: store_reset_3 (store.c:384)
==5272==    by 0x15C8F0: expand_string_internal (expand.c:6789)
==5272==    by 0x158C83: eval_condition (expand.c:2432)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161EEE: read_subs (expand.c:1942)
==5272==    by 0x159054: eval_condition (expand.c:2912)
==5272==    by 0x1591CE: eval_condition (expand.c:2791)
==5272==    by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272==    by 0x161905: expand_check_condition (expand.c:856)
==5272==    by 0x18D1D5: route_address (route.c:998)
==5272==    by 0x146DF1: deliver_message (deliver.c:5941)
==5272==    by 0x179273: queue_run (queue.c:619)
==5272==    by 0x1523B4: main (exim.c:4547)


--
You are receiving this mail because:
You are on the CC list for the bug.