Mailing List Archive

bad memory reference; pool not found, at gstring_grow 1124
I'm getting this error panic
"bad memory reference; pool not found, at gstring_grow 1124"

at a acl logwrite in an ${acl expansion in a router

the logwrite is over-size and thus truncated in the debug message

then it crashes.

it seems to happen failry rarely, maybe 1 in 10000 emails on this path.

--
Jasen.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 05/12/2022 23:31, Jasen Betts via Exim-users wrote:
> I'm getting this error panic
> "bad memory reference; pool not found, at gstring_grow 1124"
>
> at a acl logwrite in an ${acl expansion in a router
>
> the logwrite is over-size and thus truncated in the debug message
>
> then it crashes.
>
> it seems to happen failry rarely, maybe 1 in 10000 emails on this path.
>

version, ops in progress... core dump?
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 2022-12-05, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 05/12/2022 23:31, Jasen Betts via Exim-users wrote:
>> I'm getting this error panic
>> "bad memory reference; pool not found, at gstring_grow 1124"
>>
>> at a acl logwrite in an ${acl expansion in a router
>>
>> the logwrite is over-size and thus truncated in the debug message
>>
>> then it crashes.
>>
>> it seems to happen failry rarely, maybe 1 in 10000 emails on this
path.
>>
>
> version, ops in progress... core dump?
> --
> Cheers,
> Jeremy
>

debian backports' exinm-daemon-heavy 4.96


It's caused by caused by a logwrite of exactly 8153
characters (must be exact) in a context where exim_message_id is defined.

eg put this:

logwrite = ${sg{${sg{${sg{aaa}{a}{bbbbbbbbbbb}}}{b}{ccccccccccccc}}}{c}{ddddddddddddddddddd}}zz

in the data ACL

so the line it would write would start with

YYYY-MM-DD HH:MM:SS_IDIDID-IDIDID-ID_
----+----1----+----2----+----3----+--

making exactly 8153+37 = 8190 characters not including the newline.

--
Jasen.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 19/12/2022 06:32, Jasen Betts via Exim-users wrote:
> logwrite = ${sg{${sg{${sg{aaa}{a}{bbbbbbbbbbb}}}{b}{ccccccccccccc}}}{c}{ddddddddddddddddddd}}zz

Thanks for locating this so precisely.
Fix pushed: 1ed24e36e279
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 2022-12-19 Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 19/12/2022 06:32, Jasen Betts via Exim-users wrote:
> > logwrite = ${sg{${sg{${sg{aaa}{a}{bbbbbbbbbbb}}}{b}{ccccccccccccc}}}{c}{ddddddddddddddddddd}}zz

> Thanks for locating this so precisely.
> Fix pushed: 1ed24e36e279

Hello,

Is there a security impact of the bug?

cu Andreas
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 20/12/2022 17:12, Andreas Metzler via Exim-users wrote:
> Is there a security impact of the bug?

Nope. Logging only... and only if you've written your
config to try and save an 8 kB (with the release size of
log buffer) log message.

I guess, if you have, an attacker could induce a lot of
process terminations. Most systems won't have setuid-coredumps
enabled, so little issue there.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: bad memory reference; pool not found, at gstring_grow 1124 [ In reply to ]
On 2022-12-19, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 19/12/2022 06:32, Jasen Betts via Exim-users wrote:
>> logwrite = ${sg{${sg{${sg{aaa}{a}{bbbbbbbbbbb}}}{b}{ccccccccccccc}}}{c}{ddddddddddddddddddd}}zz
>
> Thanks for locating this so precisely.
> Fix pushed: 1ed24e36e279

Thanks for the fix.

--
Jasen.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/