Mailing List Archive

[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #6 from Jeremy Harris <jgh146exb@wizmail.org> ---
This is the sort of thing that static analysis ought to find; we probably have
an uninitialized variable. Unfortunately my ability to build for Coverity has
died. The only other decent way requires getting a coredump. Any hope of
that?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #7 from Jim Fenton <fenton@bluepopcorn.net> ---
I should be able to do that, but I don't have any experience collecting
coredumps. Is there any particular procedure you would like me to follow, or
just go by the instructions I find on the Web?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #8 from Jeremy Harris <jgh146exb@wizmail.org> ---
I usually have to check the manpages, starting with core(5). You'll need to
tweak setuid_dumpable and core_pattern (I'm assuming Linux, here).
One you get a core, feed it to gdb and get a backtrace ("bt" command). You
should get able to get away without any library debuginfos; you might need to
install the exim debuginfo package matching your binary.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #9 from Jim Fenton <fenton@bluepopcorn.net> ---
After much learning about how to enable coredumps and get symbols I have it.
Here's the backtrace; if you need the core file itself I can send it to you.

root@altmode:~# coredumpctl dump 2627 -o exim4.core.2627
PID: 2627 (exim4)
UID: 0 (root)
GID: 109 (Debian-exim)
Signal: 11 (SEGV)
Timestamp: Sat 2020-10-31 15:47:08 PDT (7min ago)
Command Line: /usr/sbin/exim4 -qG
Executable: /usr/sbin/exim4
Control Group: /system.slice/exim4.service
Unit: exim4.service
Slice: system.slice
Boot ID: d15983a39f194ce390859bdfe9d4e344
Machine ID: 458e5ad9c19ace0873fd2d7df75e74c4
Hostname: altmode.net
Storage:
/var/lib/systemd/coredump/core.exim4.0.d15983a39f194ce390859bdfe9d4e344.2627.1604184428000000.lz4
Message: Process 2627 (exim4) of user 0 dumped core.

Stack trace of thread 2627:
#0 0x00007f27ebc6e206 __GI___strlen_sse2 (libc.so.6)
#1 0x000055e9908d6313 string_cat (exim4)
#2 0x000055e9908cfc1c authres_smtpauth (exim4)
#3 0x000055e99088b2f2 expand_string_internal (exim4)
#4 0x000055e990887b12 expand_cstring (exim4)
#5 0x000055e9908f7388 rf_get_munge_headers (exim4)
#6 0x000055e9908f2edd accept_router_entry (exim4)
#7 0x000055e9908bf5a3 route_address (exim4)
#8 0x000055e99087c8a6 deliver_message (exim4)
#9 0x000055e9908a9900 queue_run (exim4)
#10 0x000055e9908663f8 main (exim4)
#11 0x00007f27ebbfa09b __libc_start_main (libc.so.6)
#12 0x000055e99086818a _start (exim4)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #10 from Jeremy Harris <jgh146exb@wizmail.org> ---
Are either of the globals sender_host_auth_pubname or authenticated_id
null? They are both string-pointers.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #11 from Jim Fenton <fenton@bluepopcorn.net> ---
Finally figured how to actually get the symbols in gdb (previous backtrace was
from coredumpctl):

(gdb) print authenticated_id
$1 = (uschar *) 0x55e990c94aa0 "fenton"
(gdb) print sender_host_auth_pubname
$2 = (uschar *) 0x0

And a more complete backtrace from gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
120 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) bt
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x000055e9908d6313 in string_cat (s=<optimized out>, string=0x55e990cf42f8)
at string.c:1253
#2 string_append (string=0x55e990cf42f8, count=0, count@entry=2) at
string.c:1253
#3 0x000055e9908cfc1c in authres_smtpauth (g=<optimized out>) at
smtp_in.c:5955
#4 0x000055e99088b2f2 in expand_string_internal
(string=string@entry=0x55e990cf42d0 "${authresults {$primary_hostname}}",
ket_ends=ket_ends@entry=0, left=left@entry=0x0, skipping=skipping@entry=0,
honour_dollar=honour_dollar@entry=1,
resetok_p=resetok_p@entry=0x0) at expand.c:4346
#5 0x000055e990887b12 in expand_cstring (string=0x55e990cf42d0 "${authresults
{$primary_hostname}}") at expand.c:7986
#6 expand_cstring (string=0x55e990cf42d0 "${authresults {$primary_hostname}}")
at expand.c:7976
#7 0x000055e9908f7388 in rf_get_munge_headers (addr=addr@entry=0x55e990cabcc0,
rblock=rblock@entry=0x55e990c6ce80,
extra_headers=extra_headers@entry=0x7fff6d15e800,
remove_headers=remove_headers@entry=0x7fff6d15e7f8) at
rf_get_munge_headers.c:45
#8 0x000055e9908f2edd in accept_router_entry (rblock=0x55e990c6ce80,
addr=0x55e990cabcc0, pw=0x7fff6d15e8c0, verify=0,
addr_local=0x55e99097f968 <addr_local>, addr_remote=0x55e99097f958
<addr_remote>, addr_new=0x55e99097f960 <addr_new>,
addr_succeed=0x55e99097f948 <addr_succeed>) at accept.c:122
#9 0x000055e9908bf5a3 in route_address (addr=addr@entry=0x55e990cabcc0,
paddr_local=paddr_local@entry=0x55e99097f968 <addr_local>,
paddr_remote=paddr_remote@entry=0x55e99097f958 <addr_remote>,
addr_new=addr_new@entry=0x55e99097f960 <addr_new>,
addr_succeed=addr_succeed@entry=0x55e99097f948 <addr_succeed>,
verify=verify@entry=0) at route.c:1687
#10 0x000055e99087c8a6 in deliver_message (id=id@entry=0x55e990c72909
"1kYfHS-0005mk-1w", forced=forced@entry=0,
give_up=give_up@entry=0) at deliver.c:6824
#11 0x000055e9908a9900 in queue_run (start_id=0x0, stop_id=<optimized out>,
recurse=0) at queue.c:652
#12 0x000055e9908663f8 in main (argc=2, cargv=0x7fff6d19f3c8) at exim.c:4536

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #12 from Jeremy Harris <jgh146exb@wizmail.org> ---
Bingo. The expansion routine was assuming that sender_host_authenticated
can be used as a flag for "auth was done" and that sender_host_auth_pubname
will always have been set. Which is fine in ACL because they are indeed set
in the same place. But the spoolfile doesn't carry sender_host_auth_pubname
currently (which is our bug), so doing the expansion in a router that has
read a spoolfile hits a null (and blindly indirects through it).

My test probably used a foreground-deliver, so the spooling never got in the
way.

I don't think there's a workaround, apart from only using this expansion in
acl.
I should be able to work up a patch fairly fast, if you can build from source.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

--- Comment #13 from Jim Fenton <fenton@bluepopcorn.net> ---
Thanks. No urgency for a patch on my part, but if you would like me to try
something I can try it (I'm just running a packed Debian version now).

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2648

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #14 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/a75ebe0dcc5faeb915cacb0d9db66d2475789116

commit a75ebe0dcc5faeb915cacb0d9db66d2475789116
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Sat Oct 31 23:58:11 2020 +0000
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Mon Nov 2 14:23:32 2020 +0000

pass authenticator pubname through spool. bug 2648
----
doc/doc-txt/ChangeLog | 4 ++++
src/exim_monitor/em_globals.c | 1 +
src/src/smtp_in.c | 12 +++++++-----
src/src/spool_in.c | 4 +++-
src/src/spool_out.c | 6 ++++--
test/confs/3403 | 1 +
test/mail/3403.userx | 2 ++
test/stdout/3415 | 5 +++++
8 files changed, 27 insertions(+), 8 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##