Mailing List Archive

[DBMail 0001089]: dbmail 3.2.3 crashes db_findmailbox
The following issue has been SUBMITTED.
======================================================================
http://dbmail.org/mantis/view.php?id=1089
======================================================================
Reported By: AndroSyn
Assigned To:
======================================================================
Project: DBMail
Issue ID: 1089
Category: IMAP daemon
Reproducibility: sometimes
Severity: crash
Priority: urgent
Status: new
Target Version: 3.2.0
target:
======================================================================
Date Submitted: 01-Sep-17 18:49 CEST
Last Modified: 01-Sep-17 18:49 CEST
======================================================================
Summary: dbmail 3.2.3 crashes db_findmailbox
Description:
If db_findmailbox is passed a empty string, the imap daemon crashes. I've
attached a patch that checks for empty strings.

==114510==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000019cef at pc 0x7fc49283d4ef bp 0x7fc485dd4a20 sp 0x7fc485dd4a18
READ of size 1 at 0x602000019cef thread T10
http://dbmail.org/mantis/view.php?id=0 0x7fc49283d4ee in db_findmailbox
/home/asethman/dbmail-3.2.3/src/dm_db.c:2126
http://dbmail.org/mantis/view.php?id=1 0x7fc494fcec62 in
imap_session_mailbox_open
/home/asethman/dbmail-3.2.3/src/imapcommands.c:380
http://dbmail.org/mantis/view.php?id=2 0x7fc494fcec62 in _ic_select_enter
/home/asethman/dbmail-3.2.3/src/imapcommands.c:674
http://dbmail.org/mantis/view.php?id=3 0x7fc493cd231a
(/lib64/libglib-2.0.so.0+0x3700e6c31a)
http://dbmail.org/mantis/view.php?id=4 0x7fc493cd03e3
(/lib64/libglib-2.0.so.0+0x3700e6a3e3)
http://dbmail.org/mantis/view.php?id=5 0x7fc492399aa0 in start_thread
(/lib64/libpthread.so.0+0x36ff607aa0)
http://dbmail.org/mantis/view.php?id=6 0x7fc491ed0bcc in __clone
(/lib64/libc.so.6+0x36ff2e8bcc)

0x602000019cef is located 1 bytes to the left of 1-byte region
[0x602000019cf0,0x602000019cf1)
allocated by thread T10 here:
http://dbmail.org/mantis/view.php?id=0 0x7fc494f7e400 in
__interceptor_malloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
http://dbmail.org/mantis/view.php?id=1 0x7fc493cafd44 in g_malloc
(/lib64/libglib-2.0.so.0+0x3700e49d44)

Thread T10 created by T0 here:
http://dbmail.org/mantis/view.php?id=0 0x7fc494edbba0 in
__interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:243
http://dbmail.org/mantis/view.php?id=1 0x7fc4941870ad
(/lib64/libgthread-2.0.so.0+0x37022020ad)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/asethman/dbmail-3.2.3/src/dm_db.c:2126 in db_findmailbox
Shadow bytes around the buggy address:
0x0c047fffb340: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffb350: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffb360: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffb370: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffb380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fffb390: fa fa fd fd fa fa fd fa fa fa fd fd fa[fa]01 fa
0x0c047fffb3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==114510==ABORTING

======================================================================

Issue History
Date Modified Username Field Change
======================================================================
01-Sep-17 18:49 AndroSyn New Issue
01-Sep-17 18:49 AndroSyn File Added: imapd-nullstring-fix.diff

======================================================================

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://lists.nfg.nl/mailman/listinfo/dbmail-dev