https://bugs.exim.org/show_bug.cgi?id=1870
Bug ID: 1870
Summary: Use of ${run} in router conditions causes intermittent
crash
Product: Exim
Version: 4.84
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Routing
Assignee: nigel@???
Reporter: steve@???
CC: exim-dev@???
Define a router with a condition like:
condition = ${run{/usr/sbin/example}}
or:
condition = ${if ! eq{}{${run{/usr/sbin/example}}}}
If /usr/sbin/example returns nothing on stdout, exim often crashes, resulting
in errors such as "queue run: process Foo crashed with signal 6 while
delivering Bar". The process in question ("exim -q" or "exim -M <msgid>")
actually crashes with a glibc "double free or corruption" error. Specifying
-d+all seems to make the bug go away.
This problem seems to have appeared since Exim 4.72 and my testing has been on
Scientific Linux 6.
At the very least this could lead to a denial of service attack if an attacker
can make /usr/sbin/example return nothing. Valgrind shows a number of
warnings:
==5272== Invalid read of size 1
==5272== at 0x4C29F92: strlen (mc_replace_strmem.c:403)
==5272== by 0x161B04: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 1
==5272== at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
==5272== by 0x161B04: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e541 is 5,345 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 2
==5272== at 0x4C2AC80: memcpy (mc_replace_strmem.c:882)
==5272== by 0x1A1739: string_cat (string3.h:52)
==5272== by 0x161B1C: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 1
==5272== at 0x4C2ACB8: memcpy (mc_replace_strmem.c:882)
==5272== by 0x1A1739: string_cat (string3.h:52)
==5272== by 0x161B1C: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e542 is 5,346 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 1
==5272== at 0x4C29F92: strlen (mc_replace_strmem.c:403)
==5272== by 0x15A78E: expand_string_internal (expand.c:6746)
==5272== by 0x161B48: process_yesno (expand.c:3125)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 1
==5272== at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
==5272== by 0x15A78E: expand_string_internal (expand.c:6746)
==5272== by 0x161B48: process_yesno (expand.c:3125)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e541 is 5,345 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 2
==5272== at 0x4C2AC80: memcpy (mc_replace_strmem.c:882)
==5272== by 0x1A1739: string_cat (string3.h:52)
==5272== by 0x15A7C0: expand_string_internal (expand.c:6753)
==5272== by 0x161B48: process_yesno (expand.c:3125)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e540 is 5,344 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid read of size 1
==5272== at 0x4C2ACB8: memcpy (mc_replace_strmem.c:882)
==5272== by 0x1A1739: string_cat (string3.h:52)
==5272== by 0x15A7C0: expand_string_internal (expand.c:6753)
==5272== by 0x161B48: process_yesno (expand.c:3125)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa58e542 is 5,346 bytes inside a block of size 8,208 alloc'd
==5272== at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
==5272== by 0x19F7DF: store_malloc_3 (store.c:495)
==5272== by 0x19FB4C: store_get_3 (store.c:169)
==5272== by 0x19E3A7: spool_read_header (spool_in.c:811)
==5272== by 0x145E2D: deliver_message (deliver.c:4827)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Conditional jump or move depends on uninitialised value(s)
==5272== at 0x4C29F99: strlen (mc_replace_strmem.c:403)
==5272== by 0x161B04: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Conditional jump or move depends on uninitialised value(s)
==5272== at 0x4C29FA8: strlen (mc_replace_strmem.c:403)
==5272== by 0x161B04: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Source and destination overlap in memcpy(0xa58edf0, 0xa58ee10, 56)
==5272== at 0x4C2ABCE: memcpy (mc_replace_strmem.c:882)
==5272== by 0x1A1739: string_cat (string3.h:52)
==5272== by 0x161B1C: process_yesno (expand.c:3109)
==5272== by 0x15B6AA: expand_string_internal (expand.c:4845)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272==
==5272== Invalid write of size 1
==5272== at 0x157C11: cat_file (expand.c:3399)
==5272== by 0x15DDC7: expand_string_internal (expand.c:4815)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
==5272== Address 0xa6941a8 is 568 bytes inside a block of size 8,208 free'd
==5272== at 0x4C28430: free (vg_replace_malloc.c:446)
==5272== by 0x19FEB2: store_reset_3 (store.c:384)
==5272== by 0x15C8F0: expand_string_internal (expand.c:6789)
==5272== by 0x158C83: eval_condition (expand.c:2432)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161EEE: read_subs (expand.c:1942)
==5272== by 0x159054: eval_condition (expand.c:2912)
==5272== by 0x1591CE: eval_condition (expand.c:2791)
==5272== by 0x15C2C0: expand_string_internal (expand.c:3992)
==5272== by 0x161905: expand_check_condition (expand.c:856)
==5272== by 0x18D1D5: route_address (route.c:998)
==5272== by 0x146DF1: deliver_message (deliver.c:5941)
==5272== by 0x179273: queue_run (queue.c:619)
==5272== by 0x1523B4: main (exim.c:4547)
--
You are receiving this mail because:
You are on the CC list for the bug.