Mailing List Archive

Segfault in perform_ldap_search() in exim-4.90.1
Hi,

We've updated to the EPEL shipped 4.90.1 (exim-4.90.1-2.el7.x86_64) from
exim-4.89-4.el7.x86_64 and have started seeing frequent segfaults.

Mar 8 12:26:59 americano kernel: exim[1607]: segfault at 8 ip 0000560dd32915d0 sp 00007fffcef352b0 error 4 in exim[560dd31b1000+133000]

Stoking up gdb for live coredump shows:

Core was generated by `exim -bd -d+all'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720,
errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "uid=<removed>", password=password@entry=0x560dd48f4840 "<removed>",
sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
1076 DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);


We can reliably reproduce the segfault using "exim -bt <address>" too.


This line appears to have changed between the two versions:

@@ -1077,8 +1073,8 @@ if (!attribute_found)

/* Otherwise, it's all worked */

-DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
-*res = data;
+DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
+*res = data->s;

RETURN_OK:
if (result != NULL) ldap_msgfree(result);

The other references to data in ldap.c seem to be wrapped in if(data) but not this one...

(gdb) print data
$1 = (gstring *) 0x0

Is this a simple bug fixed by wrapping the block in if(data)?

Entire stack trace below:

#0 0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720,
errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "<removed>", password=password@entry=0x560dd48f4840 "<removed>",
sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
#1 0x0000560dd3291ef4 in control_ldap_search (ldap_url=<optimized out>, search_type=1, res=0x7fffcef35720, errmsg=0x560dd34fa778 <search_error_message>) at ldap.c:1328
#2 0x0000560dd3246dc6 in internal_search_find (handle=handle@entry=0x560dd48f4230, filename=filename@entry=0x0, keystring=<optimized out>,
keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"...)
at search.c:522
#3 0x0000560dd32478ce in search_find (handle=0x560dd48f4230, filename=filename@entry=0x0,
keystring=keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"..., partial=-1, affix=0x0, affixlen=99, starflags=0, expand_setup=expand_setup@entry=0x7fffcef358f8) at search.c:671
#4 0x0000560dd32129c7 in expand_string_internal (
string=0x560dd48b8240 "${lookup ldap {user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternat"...,
ket_ends=ket_ends@entry=0, left=left@entry=0x0, skipping=skipping@entry=0, honour_dollar=honour_dollar@entry=1, resetok_p=resetok_p@entry=0x0) at expand.c:4353
#5 0x0000560dd320eaaa in expand_cstring (string=<optimized out>) at expand.c:7574
#6 0x0000560dd3218815 in expand_string (string=<optimized out>) at expand.c:7585
#7 0x0000560dd3242900 in rewrite_one (s=<optimized out>, flag=128, whole=whole@entry=0x0, add_header=0, name=0x560dd32b5dc2 "original-recipient", rewrite_rules=<optimized out>) at rewrite.c:192
#8 0x0000560dd32435cc in rewrite_address (s=<optimized out>, s@entry=0x560dd48d7328 "<user>", is_recipient=is_recipient@entry=2, add_header=3542953712, add_header@entry=0, rewrite_rules=0x0, existflags=22029) at rewrite.c:410
#9 0x0000560dd326a392 in verify_address (vaddr=vaddr@entry=0x7fffcef36f10, f=f@entry=0x0, options=2, callout=callout@entry=-1, callout_overall=callout_overall@entry=-1, callout_connect=callout_connect@entry=-1, se_mailfrom=se_mailfrom@entry=0x0,
pm_mailfrom=pm_mailfrom@entry=0x0, routed=routed@entry=0x0) at verify.c:1660
#10 0x0000560dd31f1af3 in acl_verify (where=<optimized out>, addr=<optimized out>, arg=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>, basic_errno=<optimized out>) at acl.c:2049
#11 0x0000560dd31f34b3 in acl_check_internal (where=<optimized out>, addr=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:3706
#12 0x0000560dd31f5cef in acl_check (where=<optimized out>, recipient=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:4391
#13 0x0000560dd325440d in smtp_setup_msg () at smtp_in.c:5001
#14 0x0000560dd31f900a in handle_smtp_call (accepted=0x7fffcef37fc0, accept_socket=<optimized out>, listen_socket_count=<optimized out>, listen_sockets=0x560dd48d61f0) at daemon.c:504
#15 daemon_go () at daemon.c:2049
#16 0x0000560dd31ec999 in main (argc=<optimized out>, cargv=<optimized out>) at exim.c:4856


--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Segfault in perform_ldap_search() in exim-4.90.1 [ In reply to ]
Hi,

We've updated to the EPEL shipped 4.90.1 (exim-4.90.1-2.el7.x86_64) from
exim-4.89-4.el7.x86_64 and have started seeing frequent segfaults.

Mar 8 12:26:59 americano kernel: exim[1607]: segfault at 8 ip 0000560dd32915d0 sp 00007fffcef352b0 error 4 in exim[560dd31b1000+133000]

Stoking up gdb for live coredump shows:

Core was generated by `exim -bd -d+all'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720,
errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "uid=<removed>", password=password@entry=0x560dd48f4840 "<removed>",
sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
1076 DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);


We can reliably reproduce the segfault using "exim -bt <address>" too.


This line appears to have changed between the two versions:

@@ -1077,8 +1073,8 @@ if (!attribute_found)

/* Otherwise, it's all worked */

-DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
-*res = data;
+DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
+*res = data->s;

RETURN_OK:
if (result != NULL) ldap_msgfree(result);

The other references to data in ldap.c seem to be wrapped in if(data) but not this one...

(gdb) print data
$1 = (gstring *) 0x0

Is this a simple bug fixed by wrapping the block in if(data)?

Entire stack trace below:

#0 0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720,
errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "<removed>", password=password@entry=0x560dd48f4840 "<removed>",
sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
#1 0x0000560dd3291ef4 in control_ldap_search (ldap_url=<optimized out>, search_type=1, res=0x7fffcef35720, errmsg=0x560dd34fa778 <search_error_message>) at ldap.c:1328
#2 0x0000560dd3246dc6 in internal_search_find (handle=handle@entry=0x560dd48f4230, filename=filename@entry=0x0, keystring=<optimized out>,
keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"...)
at search.c:522
#3 0x0000560dd32478ce in search_find (handle=0x560dd48f4230, filename=filename@entry=0x0,
keystring=keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"..., partial=-1, affix=0x0, affixlen=99, starflags=0, expand_setup=expand_setup@entry=0x7fffcef358f8) at search.c:671
#4 0x0000560dd32129c7 in expand_string_internal (
string=0x560dd48b8240 "${lookup ldap {user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternat"...,
ket_ends=ket_ends@entry=0, left=left@entry=0x0, skipping=skipping@entry=0, honour_dollar=honour_dollar@entry=1, resetok_p=resetok_p@entry=0x0) at expand.c:4353
#5 0x0000560dd320eaaa in expand_cstring (string=<optimized out>) at expand.c:7574
#6 0x0000560dd3218815 in expand_string (string=<optimized out>) at expand.c:7585
#7 0x0000560dd3242900 in rewrite_one (s=<optimized out>, flag=128, whole=whole@entry=0x0, add_header=0, name=0x560dd32b5dc2 "original-recipient", rewrite_rules=<optimized out>) at rewrite.c:192
#8 0x0000560dd32435cc in rewrite_address (s=<optimized out>, s@entry=0x560dd48d7328 "<user>", is_recipient=is_recipient@entry=2, add_header=3542953712, add_header@entry=0, rewrite_rules=0x0, existflags=22029) at rewrite.c:410
#9 0x0000560dd326a392 in verify_address (vaddr=vaddr@entry=0x7fffcef36f10, f=f@entry=0x0, options=2, callout=callout@entry=-1, callout_overall=callout_overall@entry=-1, callout_connect=callout_connect@entry=-1, se_mailfrom=se_mailfrom@entry=0x0,
pm_mailfrom=pm_mailfrom@entry=0x0, routed=routed@entry=0x0) at verify.c:1660
#10 0x0000560dd31f1af3 in acl_verify (where=<optimized out>, addr=<optimized out>, arg=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>, basic_errno=<optimized out>) at acl.c:2049
#11 0x0000560dd31f34b3 in acl_check_internal (where=<optimized out>, addr=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:3706
#12 0x0000560dd31f5cef in acl_check (where=<optimized out>, recipient=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:4391
#13 0x0000560dd325440d in smtp_setup_msg () at smtp_in.c:5001
#14 0x0000560dd31f900a in handle_smtp_call (accepted=0x7fffcef37fc0, accept_socket=<optimized out>, listen_socket_count=<optimized out>, listen_sockets=0x560dd48d61f0) at daemon.c:504
#15 daemon_go () at daemon.c:2049
#16 0x0000560dd31ec999 in main (argc=<optimized out>, cargv=<optimized out>) at exim.c:4856


--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Segfault in perform_ldap_search() in exim-4.90.1 [ In reply to ]
On Thu, Mar 08, 2018 at 12:49:58PM +0000, Matthew Slowe via Exim-users wrote:
>Hi,
>
>We've updated to the EPEL shipped 4.90.1 (exim-4.90.1-2.el7.x86_64) from
>exim-4.89-4.el7.x86_64 and have started seeing frequent segfaults.
>
>Mar 8 12:26:59 americano kernel: exim[1607]: segfault at 8 ip 0000560dd32915d0 sp 00007fffcef352b0 error 4 in exim[560dd31b1000+133000]
>
>We can reliably reproduce the segfault using "exim -bt <address>" too.

In case it's useful, the exim -bt segfault is:

Mar 8 12:41:54 americano kernel: exim[4680]: segfault at 8 ip 000055d963fba5e2 sp 00007fffc617b990 error 4 in exim[55d963eda000+133000]

Core was generated by `exim -bt tb367'.
Program terminated with signal 11, Segmentation fault.
#0 perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffc617bb80 "localhost",
s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffc617be00,
errmsg=errmsg@entry=0x55d964223778 <search_error_message>, defer_break=defer_break@entry=0x7fffc617bb68,
user=user@entry=0x55d96601e5c0 "<removed>",
password=password@entry=0x55d96601e5f0 "<password>", sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0,
tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f46ea80a1e0 <ber_pvt_opt_on>)
at ldap.c:1077

It seems to be when one of the string expansions doing address rewriting returns nothing.

--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Segfault in perform_ldap_search() in exim-4.90.1 [ In reply to ]
On 08/03/18 12:49, Matthew Slowe via Exim-users wrote:
> /* Otherwise, it's all worked */
>
> -DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
> -*res = data;
> +DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
> +*res = data->s;

Interesting that it gets as far down the routine to be commented
"all worked" yet still with a null result. While wrapping the
code with a check seems obvious I worry there may be something
else going one. Is an empty return likely for the lookup
being done at this point in your config/operations?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Segfault in perform_ldap_search() in exim-4.90.1 [ In reply to ]
On Thu, Mar 08, 2018 at 03:55:57PM +0000, Jeremy Harris via Exim-users wrote:
>On 08/03/18 12:49, Matthew Slowe via Exim-users wrote:
>> /* Otherwise, it's all worked */
>>
>> -DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
>> -*res = data;
>> +DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
>> +*res = data->s;
>
>Interesting that it gets as far down the routine to be commented
>"all worked" yet still with a null result. While wrapping the
>code with a check seems obvious I worry there may be something
>else going one. Is an empty return likely for the lookup
>being done at this point in your config/operations?

It's worked for years so far -- it's doing a check to see if the address needs
rewriting before routing it.

# Convert short forms to longforms for staff

*@kent.ac.uk "${lookup ldap {user=\"<%= @ldapUserDN %>\" pass=\"<%= @ldapPasswd %>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:${quote_ldap:${local_part}@${domain}})(!(&(unikentmailOptinActive=*)(!(unikentmailOptinChoice=*)))))}{$value}fail}@kent.ac.uk" bcsfrtFT

Anyone without a longform email address (any non-staff) will not have a
unikentmailid so get an empty LDAP response.

--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/