[exim-dev] [Bug 2029] New: DKIM verification segfaults on so…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2029] New: DKIM verification segfaults on some mails
https://bugs.exim.org/show_bug.cgi?id=2029

            Bug ID: 2029
           Summary: DKIM verification segfaults on some mails
           Product: Exim
           Version: 4.88
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: DKIM
          Assignee: tom@???
          Reporter: lists@???
                CC: exim-dev@???


After upgrade to 4.88 (currently exim4-daemon-heavy 4.88-4~bpo8+1) my (rather
busy) exim segfaults regulary:
2017-01-27T16:09:49.417301+01:00 XXX kernel: [100741.693490] exim4[29489]:
segfault at 0 ip 00007fdd68549062 sp 00007fffa7930048 error 4 in
libc-2.19.so[7fdd684c4000+1a1000]
2017-01-27T16:10:51.565272+01:00 XXX kernel: [100803.840310] exim4[29636]:
segfault at 0 ip 00007fdd68549062 sp 00007fffa7930048 error 4 in
libc-2.19.so[7fdd684c4000+1a1000]
2017-01-27T16:10:59.497227+01:00 XXX kernel: [100811.775673] exim4[29652]:
segfault at 0 ip 00007fdd68549062 sp 00007fffa7930048 error 4 in
libc-2.19.so[7fdd684c4000+1a1000]

After writing a core dump I get the following trace:
(gdb) bt full
#0  __memcmp_sse2 () at ../sysdeps/x86_64/multiarch/../memcmp.S:57
No locals.
#1  0x00007f8762403ba6 in pdkim_finish_bodyhash (ctx=0x7f87632bf318,
ctx=0x7f87632bf318) at pdkim.c:814
        bh = {data = 0x7f87632ca240
"\315\035\322/\311\315J\177\026\340{\235\277\205\301i\217]`\245", 
          len = 20}
        sig = 0x7f87632c9740
#2  pdkim_feed_finish (ctx=0x7f87632bf318, 
    return_signatures=return_signatures@entry=0x7f8762654988 <dkim_signatures>)
at pdkim.c:1392
        sig = 0x7f87632c9740
#3  0x00007f876238473e in dkim_exim_verify_finish () at dkim.c:147
        sig = 0x0
        dkim_signers_size = 0
        dkim_signers_ptr = 0
        rc = <optimized out>
#4  0x00007f87623a6143 in receive_msg (extract_recip=1663869504) at
receive.c:3272
        start = 32767
        end = -1615224000
        domain = 32767
        size = 32647
        sptr = 1663774896
        smtp_yield = 1
        yield = 1650802968
        blackholed_by = 0x0
        blackhole_log_msg = 0x7f8762434988 ""
        cutthrough_done = 1650801860
        lock_data = {l_type = 1, l_whence = 0, l_start = 0, l_len = 19, l_pid =
3}
        bad_addresses = 0x0
        errmsg = 0xf00000001 <error: Cannot access memory at address
0xf00000001>
        statbuf = {st_dev = 64768, st_ino = 54133, st_nlink = 1, st_mode =
33184, st_uid = 105, 
          st_gid = 110, __pad0 = 0, st_rdev = 0, st_size = 18262, st_blksize =
4096, st_blocks = 40, 
          st_atim = {tv_sec = 1485528559, tv_nsec = 364323956}, st_mtim =
{tv_sec = 1485528559, 
            tv_nsec = 920346191}, st_ctim = {tv_sec = 1485528559, tv_nsec =
920346191}, __glibc_reserved = {
            0, 0, 0}}
        smtp_reply = 0x0
        user_msg = 0x0
        log_msg = 0x7f87632b2fad ""
        next = 0x7f8762434988
        timestamp = 0x7f8762653cc4 <smtp_input> "\001"


As far as I can see the error is in 
    if (memcmp(bh.data, sig->bodyhash.data, bh.len) == 0)


with
(gdb) p bh.data
$16 = (uschar *) 0x7f87632ca240
"\315\035\322/\311\315J\177\026\340{\235\277\205\301i\217]`\245"
(gdb) p sig->bodyhash.data
$17 = (uschar *) 0x0
(gdb) p bh.len
$18 = 20

As a quick fix I disabled DKIM via dkim_disable_verify and saw no segfaults
since.

This problem seems to be related to some malformed spam – in most cases DKIM
used to work fine.

--
You are receiving this mail because:
You are on the CC list for the bug.