[exim-dev] [Bug 2239] New: segfault when processing control …

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2239] New: segfault when processing control = utf8_downconvert
https://bugs.exim.org/show_bug.cgi?id=2239

            Bug ID: 2239
           Summary: segfault when processing control = utf8_downconvert
           Product: Exim
           Version: 4.90
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: gedalya@???
                CC: exim-dev@???


This seems to happen no matter where I put this modifier.

I'm not that familiar with gdb so if more is needed in that realm please treat
me like a dummy.

This is a custom-built exim, reproduced the issue on Debian stretch and buster
(testing).

# exim -bV
Exim version 4.90_1 #2 built 10-Feb-2018 12:45:40
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS Content_Scanning DKIM DNSSEC Event
I18N OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch mysql
Authenticators: dovecot plaintext
Routers: accept dnslookup manualroute redirect
Transports: appendfile autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf



Starting program: /usr/sbin/exim -bh 127.0.0.1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup yielded "localhost"
>>> local host found for non-MX address
>>> checking addresses for localhost
>>> ::1
>>> 127.0.0.1 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 mx2.gedalya.net ESMTP Sun, 11 Feb 2018 10:28:09 -0500
EHLO me
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
>>> host in smtputf8_advertise_hosts? yes (matched "*")

250-mx2.gedalya.net Hello localhost [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250-SMTPUTF8
250 HELP
MAIL FROM: <test@???> SMTPUTF8
>>> using ACL "acl_check_mail"
>>> processing "deny"
>>>   message: no HELO given before MAIL command
>>> check condition = ${if def:sender_helo_name {no}{yes}}
>>>                 = no
>>> deny: condition test failed in ACL "acl_check_mail"
>>> processing "accept"
>>> check control = utf8_downconvert


Program received signal SIGSEGV, Segmentation fault.
acl_check_condition (level=<optimized out>, basic_errno=0x7ffcb78439ec,
log_msgptr=0x7ffcb7843d90, user_msgptr=0x7ffcb7843d98, epp=<synthetic pointer>,
addr=0x0, where=1, cb=0x563f892ebaf8, verb=0) at acl.c:3338
3338    acl.c: No such file or directory.
(gdb) bt full
#0  acl_check_condition (level=<optimized out>, basic_errno=0x7ffcb78439ec,
log_msgptr=0x7ffcb7843d90, user_msgptr=0x7ffcb7843d98, epp=<synthetic pointer>,
addr=0x0, where=1, cb=0x563f892ebaf8, verb=0) at acl.c:3338
        p = <optimized out>
        arg = 0x563f892ebb18 "utf8_downconvert"
        user_message = <optimized out>
        log_message = 0x0
        rc = 0
        sep = -47
#1  acl_check_internal (where=where@entry=1, addr=addr@entry=0x0, s=<optimized
out>, user_msgptr=user_msgptr@entry=0x7ffcb7843d98, log_msgptr=0x7ffcb7843d90)
at acl.c:4079
        basic_errno = 0
        endpass_seen = 0
        fd = <optimized out>
        acl = 0x563f892ebae0
        acl_name = <optimized out>
        ss = <optimized out>
#2  0x0000563f87d04429 in acl_check (where=where@entry=1,
recipient=recipient@entry=0x0, s=<optimized out>,
user_msgptr=user_msgptr@entry=0x7ffcb7843d98,
log_msgptr=log_msgptr@entry=0x7ffcb7843d90) at acl.c:4391
        rc = <optimized out>
        adb = {next = 0x0, parent = 0x0, first = 0x0, dupof = 0x0, start_router
= 0x0, router = 0x0, transport = 0x0, host_list = 0x0, host_used = 0x400000000,
fallback_hosts = 0x563f87d6909b <string_vformat+1019>, reply = 0x563f87dc0000,
retries = 0x0, address = 0x563f892e7370 "250-SIZE 52428800\r\n", unique =
0x563f87d693ed <string_vformat+1869>
"D\213L$,\211\301D\213D$(\351I\374\377\377H\213|$\030\213\027\203\372/\017\207\350\001",
cc_local_part = 0xffffffffffffffff <error: Cannot access memory at address
0xffffffffffffffff>, lc_local_part = 0x0, local_part = 0x563f87db8d00
"handling%s incoming connection from %s", prefix = 0x7ffcb7843c60 "`R/\211?V",
suffix = 0x563fffffffff <error: Cannot access memory at address
0x563fffffffff>, domain = 0xffffffffffffffff <error: Cannot access memory at
address 0xffffffffffffffff>, address_retry_key = 0x563f87da6e32 "-",
domain_retry_key = 0x7f8f1dd465a0 <_IO_str_chk_jumps> "", current_dir = 0x0,
home_dir = 0x275d94323b8aaf00 <error: Cannot access memory at address
0x275d94323b8aaf00>, message = 0x0, user_message = 0x0, onetime_parent =
0x563f87ff4120 <process_info> "30049 handling incoming connection from
localhost (me) [127.0.0.1]\n", pipe_expandn = 0x563f87d39e11 <skip_comment+33>,
return_filename = 0x563f892f5288 "ail\"", self_hostname = 0x563f892f5260
"test@???", shadow_message = 0x563f87daf690 " ()<>@,;:\\\".[]\177",
cipher = 0x563f87d39f5c <read_local_part+172> "L9\363H\211\307\017\204\270",
ourcert = 0x563f892f5260, peercert = 0x563f87d39e11 <skip_comment+33>, peerdn =
0x18 <error: Cannot access memory at address 0x18>, ocsp = -1993363870,
authenticator = 0x563f892f5270 "", auth_id = 0x563f87d3a15b <read_domain+235>
"L9\355H\211\303\306E", auth_sndr = 0x7ffcb7843d00 "\250=\204\267\374\177",
dsn_orcpt = 0x7ffcb7843db0 "", dsn_flags = -1993363886, dsn_aware = 22079, uid
= 3078897072, gid = 32764, flags = {af_allow_file = 0, af_allow_pipe = 0,
af_allow_reply = 0, af_dr_retry_exists = 0, af_expand_pipe = 0, af_file = 1,
af_gid_set = 1, af_home_expanded = 0, af_initgroups = 0, af_local_host_removed
= 1, af_lt_retry_exists = 0, af_pfr = 0, af_retry_skipped = 1,
af_retry_timedout = 0, af_uid_set = 1, af_hide_child = 0, af_sverify_told = 1,
af_verify_pmfail = 1, af_verify_nsfail = 1, af_homonym = 1, af_verify_routed =
0, af_verify_callout = 1, af_include_affixes = 0, af_cert_verified = 0,
af_pass_message = 1, af_bad_reply = 0, af_tcp_fastopen_conn = 0,
af_tcp_fastopen = 1, af_prdr_used = 0, af_chunking_used = 0, af_force_command =
0, af_utf8_downcvt = 1}, domain_cache = {22079}, localpart_cache =
{2301603410}, mode = 22079, more_errno = -1993363887, delivery_usec = 22079,
basic_errno = 15792, child_count = 46980, return_file = 32764, special_action =
0, transport_return = 21088, prop = {address_data = 0x275d94323b8aaf00 <error:
Cannot access memory at address 0x275d94323b8aaf00>, domain_data = 0x0,
localpart_data = 0x14ef110 <error: Cannot access memory at address 0x14ef110>,
errors_address = 0x0, extra_headers = 0x7ffcb7843db0, remove_headers =
0x7ffcb7843da8 "d\256/\211?V", ignore_error = 0, utf8_msg = 0, utf8_downcvt =
0, utf8_downcvt_maybe = 0}}
        addr = 0x0
#3  0x0000563f87d5f0b9 in smtp_setup_msg () at smtp_in.c:4754
        mail_args = <optimized out>
        errmess = 0x0
        oldsignal = <optimized out>
        pid = <optimized out>
        end = 17
        recipient_domain = -1993363868
        flags = <optimized out>
        g = <optimized out>
        user_msg = 0x0
        hello = 0x0
        was_rej_mail = 1
        argv = 0x0
        etrn_serialize_key = <optimized out>
        recipient = 0x0
        s = 0x563f00000005 <error: Cannot access memory at address
0x563f00000005>
        c = <optimized out>
        etrn_command = <optimized out>
        smtp_code = 0x0
        sender_domain = 5
        orcpt = 0x0
        ss = <optimized out>
        au = <optimized out>
        log_msg = 0x0
        was_rcpt = 0
        start = 1
        rc = <optimized out>
        done = 0
        toomany = 0
        discarded = <optimized out>
        last_was_rej_mail = <optimized out>
        last_was_rcpt = <optimized out>
        reset_point = <optimized out>
        __PRETTY_FUNCTION__ = "smtp_setup_msg"
#4  0x0000563f87cfdeb7 in main (argc=3, cargv=0x7ffcb7884408) at exim.c:5164
        x = {2130706433, 0, 0, 0}
        size = <optimized out>
        argv = 0x7ffcb7884408
        arg_receive_timeout = -1
        arg_smtp_receive_timeout = -1
        arg_error_handling = 0
        filter_sfd = <optimized out>
        filter_ufd = -1
        i = <optimized out>
        rv = <optimized out>
        list_queue_option = <optimized out>
        msg_action = 0
        msg_action_arg = <optimized out>
        namelen = <optimized out>
        queue_only_reason = 0
        recipients_arg = 3
        sender_address_domain = 0
        test_retry_arg = <optimized out>
        test_rewrite_arg = <optimized out>
        arg_queue_only = <optimized out>
        bi_option = <optimized out>
        checking = <optimized out>
        count_queue = <optimized out>
        expansion_test = <optimized out>
        extract_recipients = <optimized out>
        flag_G = <optimized out>
        flag_n = <optimized out>
        forced_delivery = 0
        f_end_dot = <optimized out>
        deliver_give_up = 0
        list_queue = 0
        list_options = <optimized out>
        list_config = <optimized out>
        local_queue_only = <optimized out>
        more = 1
        one_msg_action = 0
        opt_D_used = <optimized out>
        queue_only_set = <optimized out>
        receiving_message = <optimized out>
        sender_ident_set = <optimized out>
        session_local_queue_only = <optimized out>
        unprivileged = 0
        removed_privilege = <optimized out>
        usage_wanted = <optimized out>
        verify_address_mode = <optimized out>
        verify_as_sender = <optimized out>
        version_printed = <optimized out>
        alias_arg = <optimized out>
        called_as = 0x563f87dce972 ""
        cmdline_syslog_name = <optimized out>
        start_queue_run_id = <optimized out>
        stop_queue_run_id = <optimized out>
        expansion_test_message = <optimized out>
        ftest_domain = <optimized out>
        ftest_localpart = <optimized out>
        ftest_prefix = <optimized out>
        ftest_suffix = <optimized out>
        log_oneline = <optimized out>
        malware_test_file = <optimized out>
        real_sender_address = <optimized out>
        originator_home = 0x563f892f4e48 "/root"
        sz = <optimized out>
        reset_point = 0x563f892f5260
        pw = 0x7f8f1dd4bf00 <resbuf.9774>
        statbuf = {st_dev = 20, st_ino = 3, st_nlink = 1, st_mode = 8576,
st_uid = 0, st_gid = 5, __pad0 = 0, st_rdev = 34816, st_size = 0, st_blksize =
1024, st_blocks = 0, st_atim = {tv_sec = 1518362888, tv_nsec = 328588062},
st_mtim = {tv_sec = 1518362888, tv_nsec = 328588062}, st_ctim = {tv_sec =
1518361976, tv_nsec = 364588067}, __glibc_reserved = {0, 0, 0}}
        passed_qr_pid = <optimized out>
        passed_qr_pipe = <optimized out>
        group_list = <error reading variable group_list (value requires 262144
bytes, which is more than max-value-size)>
        info_flag = <optimized out>
        info_stdout = <optimized out>
        rsopts = {0x563f87da9df9 "f", 0x563f87dc9c06 "ff", 0x563f87da487d "r",
0x563f87da4d56 "rf", 0x563f87da4d59 "rff"}


--
You are receiving this mail because:
You are on the CC list for the bug.