[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ZMailer] Zmailer crashes

To: Ralf Baechle <ralf@linux-mips.org>
Subject: Re: [ZMailer] Zmailer crashes
From: Matti Aarnio <mea@nic.funet.fi>
Date: Sat, 1 Nov 2008 21:58:01 +0200
Cc: zmailer@nic.funet.fi
In-Reply-To: <20081031160305.GB9632@linux-mips.org>
List-ID: <zmailer.nic.funet.fi>
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
References: <20081031160305.GB9632@linux-mips.org>
Sender: zmailer-owner@nic.funet.fi
User-Agent: Mutt/1.4.2.1i

On Fri, Oct 31, 2008 at 04:03:05PM +0000, Ralf Baechle wrote:
> Since quite a while I'm observing these kernel messages on a Linux x86_64
> system:
> 
> sm[3270]: segfault at 3ba7f9f0 ip 79fbc9 sp 7fffe7c48e30 error 6 in libc-2.7.so[72d000+14d000]
> sm[3493] trap stack segment ip:7f0e2a121bc9 sp:7fff3240e4a0 error:0
> sm[3773]: segfault at 3ba7f9f0 ip 79fbc9 sp 7fff55499680 error 6 in libc-2.7.so[72d000+14d000]
> sm[3772] trap stack segment ip:7fbfcd993bc9 sp:7fffd5e98080 error:0
> sm[3605]: segfault at 3ba7f9f0 ip 79fbc9 sp 7fff046d38c0 error 6 in libc-2.7.so[72d000+14d000]
> 
> Lots of these - and occasionally also a smtpserver crash:

I don't use sm, thus I don't see these..
Perhaps you could run ZMailer compiled for debugging, and run environment
allowing core dump files:

   # ulimit -c unlimited
   # zmailer scheduler

Now collect *core* files from within $POSTOFFICE, and look for clues with gdb:

  # gdb sm sm.core
  (gdb) where
  ...


> smtpserver[2679]: segfault at 0 ip ee59d4 sp 7fffdf3d8e90 error 4 in libc-2.7.so[e83000+14d000]
> 
> Are these known / fixed problems?

This I recall having seen...  Probably this one:

+2006-01-04  Matti Aarnio  <mea@zmailer.org>
+
+       * smtpserver/rfc821scn.c:
+           After years of operation, learned that bad EHLO-parameter
+           with 8-bit chars is able to crash the smtpserver in 
+           rfc821_domain() when it checks bytes (characters) being
+           in some class or other, and encounters 8th-bit-set one.
+           Everywhere else the input is pre-sanitized of characters
+           outside printable ASCII range.
+           This was observed on a 2.6.x Linux running on x86-64 hardware,
+           with the character classification table at the beginning of
+           the .data section below of which there was non-mapped range..
+           .. upon which referral a SEGV was generated.
+           
+           Made also the used character classification dataset
+           to be 'const', which it is...
+
+           Btw: this is NOT a SECURITY bug, code never writes into that
+           array, only reads from it, and as a result (depending on
+           multiple things in your runtime environment) may just read
+           junk, or segfault.  Gigo rule.
+

  Garbage In -> crash


> Zmailer version is 2.99.57.pre4-2 from CVS running on Fedora 8.
> 
> Thanks,
>   Ralf
-- 
/Matti Aarnio	<mea@nic.funet.fi>
--
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

References:
- [ZMailer] Zmailer crashes
  - From: Ralf Baechle <ralf@linux-mips.org>

Prev by Date: [ZMailer] Zmailer crashes
Next by Date: [ZMailer] Implementing different policies...
Prev by thread: [ZMailer] Zmailer crashes
Next by thread: [ZMailer] Implementing different policies...
Index(es):
- Date
- Thread