Bug#604468: imapd crashes with SIGSEGV in mboxlist.c:221

Dmitry Katsubo dma_k at mail.ru
Mon Nov 22 12:41:53 UTC 2010 

Package: cyrus-imapd-2.2
Version: 2.2.13-19

I have updated from 2.2.13-17 [sid] to 2.2.13-19 [squeeze]. Usually
mailbox upgrade to new BDB format is enough, so I recovered it from my
backups:

cvt_cyrusdb /var/backups/cyrus-mboxlist.txt flat
/var/lib/cyrus/mailboxes.db skiplist

After starting cyrus (/etc/init.d/cyrus start) I have found this in
/etc/log/mail/mail.log:

Nov 22 01:40:38 centurion cyrus/imap[4590]: user.dmitry.Archives: can't
find acl
Nov 22 01:40:38 centurion cyrus/imap[4590]: user.dmitry.Drafts: can't
find acl
...

Looks like warnings, but shouldn't be critica, right? And when a client
starts IMAP session and tries to open a folder, the daemon dies with
SIGSEGV:

Nov 22 01:40:39 centurion cyrus/master[4469]: process 4590 exited,
signaled to death by 11
Nov 22 01:40:39 centurion cyrus/master[4469]: process 4591 exited,
signaled to death by 11

I have checked the plaintext version and binary DB files for mailbox:
both contains ACL strings (e.g. "lrswipcda").
I have recompiled imapd with debug information and debugged with gdb:

=== stack trace ===
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6c246e0 (LWP 30604)]
0xb7304b2a in memcpy () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7304b2a in memcpy () from /lib/i686/cmov/libc.so.6
#1  0x0807a95c in mboxlist_mylookup (name=<value optimized out>,
typep=<value optimized out>, pathp=0x0, partp=0xbfee8e68,
    aclp=0xbfee8e64, tid=0x0, wrlock=0) at mboxlist.c:221
#2  0x0805cb65 in mlookup (tag=<value optimized out>,
ext_name=0xffffffd7 <Address 0xffffffd7 out of bounds>,
    name=0xbfee91c5 "user.dmitry", flags=0x0, pathp=0x0, partp=0x0,
aclp=0x0, tid=<value optimized out>) at imapd.c:412
#3  0x0805d177 in cmd_select (tag=0x9d1d880 "5", cmd=0x9d1d8f0 "Select",
name=0x9dcd270 "INBOX") at imapd.c:2616
#4  0x0806156e in cmdloop () at imapd.c:1459
#5  0x08062d98 in service_main (argc=1, argv=0x9d14008, envp=0xbfeebaf4)
at imapd.c:691
#6  0x0804dc61 in main (argc=3, argv=0xbfeebae4, envp=0xbfeebaf4) at
service.c:533
=== end of stack trace ===

The corresponding source code:

=== mboxlist.c:221 code ===

    /* the rest is ACL; return it if requested */
    if (aclp) {
        acllen = datalen - (p - data);
        if (acllen >= aclresultalloced) {
        aclresultalloced = acllen + 100;
        aclresult = xrealloc(aclresult, aclresultalloced);
        }
(221)   memcpy(aclresult, p, acllen);
        aclresult[acllen] = '\0';

        *aclp = aclresult;
    }

=== end ===

Local variables:

acllen = -47
aclresult = 0x0
datalen = 27
data = 0xb514c120 "0 default\tdmitry\tlrswipcda\t"
p = 0xb514c16a "default\tdmitry\tlrswipcda\t"

As "acllen" is negative, "aclresult" is not allocated. What is
noticeable is that "p" is run far behind the end of "data", because the
initial string has only one space. As I am not sure about the semantics
of each peace of information coming from BDB, I added additional check
for '\t' and the service started to work. The attached patch is not a
fix, but rather a workaround. At least one need to add a check, that "p"
does not run out of "data" !!! :

while (*p != ' ' && p < data + datalen) ... p++

Hope it helps.

-- 
With best regards,
Dmitry
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mboxlist.c.patch
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-imapd-debian-devel/attachments/20101122/7bce3d3c/attachment.txt>

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list