Bug#1004740: exim4: SIGSEGV (maybe attempt to write to immutable memory) when sending a mail; message frozen
Gedalya
gedalya at gedalya.net
Tue May 10 14:11:35 BST 2022
On Wed, 2 Feb 2022 18:20:48 +0100 Andreas Metzler <ametzler at bebt.de> wrote:
> Is this reproducible, happening with a specific host? Any chance of
> getting a coredump?
>
exim4-daemon-custom 4.95-5
libgnutls30 3.7.4-2
I can reproduce this with the following steps:
1. Obtain / craft a message which is going to be deferred by gmail
2. Queue it with: exim -odq [ ... ], this crash doesn't happen on an immediate delivery attempt
3. Start a queue ranner: exim -q, it crashes
log:
2022-05-10 10:49:26 1noNQY-0003Vx-PC H=gmail-smtp-in.l.google.com [172.253.115.27]: SMTP error from remote mail server after pipelined end of data: 421-4.7.0 [**.**.**.** 15] Our system has detected that this message is\n421-4.7.0 suspicious due to the very low reputation of the sending domain. To\n421-4.7.0 best protect our users from spam, the message has been blocked.\n421-4.7.0 Please visit\n421 4.7.0 https://support.google.com/mail/answer/188131 for more information. g1-20020a379d01000000b0069f5a52b15csi8762371qke.103 - gsmtp
2022-05-10 10:49:26 1noNQY-0003Vx-PC H=gmail-smtp-in.l.google.com [172.253.115.27] TLS error on connection (recv): The TLS connection was non-properly terminated.
2022-05-10 10:49:26 1noNQY-0003Vx-PC H=gmail-smtp-in.l.google.com [172.253.115.27] TLS error on connection (recv): The specified session has been invalidated for some reason.
2022-05-10 10:49:26 1noNQY-0003Vx-PC Delivery status for ***@gmail.com: got 0 of 7 bytes (pipeheader) from transport process 13531 for transport smtp
2022-05-10 10:49:26 1noNQY-0003Vx-PC == ***@gmail.com R=dnslookup T=remote_smtp defer (-1): smtp transport process returned non-zero status 0x0088: terminated by signal 8
2022-05-10 10:49:26 1noNQY-0003Vx-PC Frozen
2022-05-10 10:52:00 1noNQY-0003Vx-PC Message is frozen
dmesg:
traps: exim[13531] trap divide error ip:7fd95deb6b2e sp:7ffdcafa2ac0 error:0 in libgnutls.so.30.32.0[7fd95ddf3000+129000]
It seems like exim crashes when attempting to connect to the second remote server, after the first one deferred the message. Once again, this only happens in a queue runner.
I did get two occurrences of SIGSEGV logged earlier, in otherwise the exact same circumstances, but subsequently I'm consistently getting this divide error.
# gdb /usr/sbin/exim4 /var/spool/exim4/core
GNU gdb (Debian 10.1-2+b1) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/exim4...
Reading symbols from /usr/lib/debug/.build-id/b0/ba38f1cd15529b233aa41d2b313ad815319a3e.debug...
warning: core file may not match specified executable file.
[New LWP 13531]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `exim -q'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 0x00007fd95deb6b2e in _gnutls_trust_list_get_issuer (list=list at entry=0x56111e42a160, cert=cert at entry=0x56111e42ab70, issuer=issuer at entry=0x7ffdcafa2c10, flags=flags at entry=16)
at ../../../lib/x509/verify-high.c:1024
1024 ../../../lib/x509/verify-high.c: No such file or directory.
(gdb) set pagination off
(gdb) bt full
#0 0x00007fd95deb6b2e in _gnutls_trust_list_get_issuer (list=list at entry=0x56111e42a160, cert=cert at entry=0x56111e42ab70, issuer=issuer at entry=0x7ffdcafa2c10, flags=flags at entry=16) at ../../../lib/x509/verify-high.c:1024
ret = <optimized out>
i = 0
hash = 8961028265420168270
#1 0x00007fd95deb6c1f in gnutls_x509_trust_list_get_issuer (list=list at entry=0x56111e42a160, cert=0x56111e42ab70, issuer=issuer at entry=0x7ffdcafa2c10, flags=flags at entry=16) at ../../../lib/x509/verify-high.c:1129
ret = <optimized out>
__func__ = "gnutls_x509_trust_list_get_issuer"
#2 0x00007fd95deb75b7 in gnutls_x509_trust_list_verify_crt2 (list=0x56111e42a160, cert_list=0x7ffdcafa2c40, cert_list at entry=0x56111e42a2c0, cert_list_size=<optimized out>, cert_list_size at entry=3, data=data at entry=0x0, elements=elements at entry=0, flags=flags at entry=33554432, voutput=0x7ffdcafa2f58, func=0x0) at ../../../lib/x509/verify-high.c:1522
sorted_size = <optimized out>
j = <optimized out>
issuer = 0x44496e
ret = <optimized out>
i = <optimized out>
hash = <optimized out>
sorted = {0x56111e5a9b60, 0x56111e686530, 0x56111e42ab70, 0x7, 0x90, 0x84, 0x2e393200000009, 0x17, 0xb0, 0x2, 0x3200000009, 0x0, 0x0, 0x0, 0x6e0000005b, 0x15b1ff500}
retrieved = {0x7fd95df29430, 0x2, 0x7ffdcafa2d00, 0xfc4e45175b1ff500, 0x56111e7149f0, 0xffffffffffffff78, 0x0, 0x0, 0x7ffdcafa2e04, 0x3, 0x56111e42a2d8, 0x7fd95db6d9b4 <__GI___libc_free+100>, 0x7ffdcafa2e04, 0x56111e42ab70, 0x56111e42a2d8, 0x2}
retrieved_size = 0
hostname = <optimized out>
purpose = <optimized out>
email = <optimized out>
hostname_size = <optimized out>
have_set_name = <optimized out>
saved_output = <optimized out>
ip = {data = <optimized out>, size = <optimized out>}
cert_set = {node = 0x56111e713a50, size = 16}
__func__ = "gnutls_x509_trust_list_verify_crt2"
__PRETTY_FUNCTION__ = "gnutls_x509_trust_list_verify_crt2"
#3 0x00007fd95de44589 in _gnutls_x509_cert_verify_peers (session=0x56111e457500, data=data at entry=0x0, elements=elements at entry=0, status=status at entry=0x7ffdcafa2f58) at ../../lib/cert-session.c:597
info = <optimized out>
cred = 0x56111e42b360
peer_certificate_list = 0x56111e42a2c0
resp = {data = 0x7ffdcafa2ec0 "\320If\036\021V", size = 1575479894}
peer_certificate_list_size = 3
i = <optimized out>
x = <optimized out>
ret = <optimized out>
cand_issuers = <optimized out>
cand_issuers_size = <optimized out>
ocsp_status = 0
verify_flags = 33554432
__func__ = "_gnutls_x509_cert_verify_peers"
#4 0x00007fd95de44eb6 in gnutls_certificate_verify_peers (session=<optimized out>, data=data at entry=0x0, elements=elements at entry=0, status=status at entry=0x7ffdcafa2f58) at ../../lib/cert-session.c:776
info = <optimized out>
__func__ = "gnutls_certificate_verify_peers"
#5 0x00007fd95de44f2c in gnutls_certificate_verify_peers2 (session=<optimized out>, status=status at entry=0x7ffdcafa2f58) at ../../lib/cert-session.c:653
No locals.
#6 0x000056111d21a501 in verify_certificate (state=<optimized out>, errstr=0x7ffdcafa30c0) at ./b-exim4-daemon-custom/build-Linux-x86_64/tls-gnu.c:2519
rc = <optimized out>
verify = 507868416
__FUNCTION__ = "verify_certificate"
#7 0x000056111d21c693 in tls_client_start (cctx=cctx at entry=0x56111e4af0c8, conn_args=conn_args at entry=0x56111e49f038, cookie=<optimized out>, tlsp=tlsp at entry=0x56111d2ae3c0 <tls_out>, errstr=errstr at entry=0x7ffdcafa30c0) at ./b-exim4-daemon-custom/build-Linux-x86_64/tls-gnu.c:3593
host = 0x56111e6f1478
tb = 0x56111e19b380
ob = 0x56111e19b4b8
rc = 0
state = 0x56111e19bff0
cipher_list = <optimized out>
require_ocsp = 0
request_ocsp = 1
__FUNCTION__ = "tls_client_start"
#8 0x000056111d245faf in smtp_setup_conn (sx=sx at entry=0x56111e49f028, suppress_tls=<optimized out>, suppress_tls at entry=0) at ./b-exim4-daemon-custom/build-Linux-x86_64/transports/smtp.c:2673
buffer2 = "220 2.0.0 Ready to start TLS\000 the market for additional capital above the PPP money we helped facilitate through the SBA portal?\n\nIf so I have updated your file and I currently have KSE Suppliers set "...
ob = 0x56111e19b4b8
pass_message = 0
message = 0x0
yield = 0
tls_errstr = 0x0
__FUNCTION__ = "smtp_setup_conn"
#9 0x000056111d248d1f in smtp_deliver (addrlist=addrlist at entry=0x56111e18b658, host=host at entry=0x56111e6f1478, host_af=host_af at entry=2, defport=<optimized out>, interface=<optimized out>, tblock=tblock at entry=0x56111e19b380, message_defer=<optimized out>, suppress_tls=<optimized out>) at ./b-exim4-daemon-custom/build-Linux-x86_64/transports/smtp.c:3743
ob = <optimized out>
yield = <optimized out>
save_errno = 489428962
rc = <optimized out>
message = 0x0
new_message_id = "\020B\372\312\375\177\000\000\000\000\000\000\000\000\000\000("
sx = 0x56111e49f028
__FUNCTION__ = "smtp_deliver"
pass_message = 0
dane_held = 0
tcw_done = 0
tcw = 0
SEND_MESSAGE = <optimized out>
#10 0x000056111d24b742 in smtp_transport_entry (tblock=<optimized out>, addrlist=<optimized out>) at ./b-exim4-daemon-custom/build-Linux-x86_64/transports/smtp.c:5636
thost = <optimized out>
first_addr = 0x56111e18b658
host_is_expired = 0
some_deferred = 0
interface = 0x0
rc = <optimized out>
host_af = 2
message_defer = 0
retry_host_key = 0x0
retry_message_key = 0x0
serialize_key = 0x0
nexthost = 0x56111e6f0f78
unexpired_hosts_tried = 2
continue_host_tried = 0
cutoff_retry = <optimized out>
defport = 25
hosts_defer = 0
hosts_fail = 0
hosts_looked_up = <optimized out>
hosts_retry = 2
hosts_serial = 0
hosts_total = <optimized out>
total_hosts_tried = <optimized out>
expired = 0
expanded_hosts = <optimized out>
pistring = 0x56111d267e71 ""
tid = <optimized out>
__FUNCTION__ = "smtp_transport_entry"
ob = 0x56111e19b4b8
hostlist = 0x56111e6f1bd8
host = 0x56111e6f1478
#11 0x000056111d1a9682 in do_remote_deliveries (fallback=fallback at entry=0) at ./b-exim4-daemon-custom/build-Linux-x86_64/deliver.c:4736
fd = 9
h = <optimized out>
address_count_max = <optimized out>
use_initgroups = 0
tp = 0x56111e19b380
gid = 110
pfd = {8, 9}
anchor = <optimized out>
addr = <optimized out>
pid = 0
multi_domain = 1
pipe_done = 1
last = <optimized out>
panicmsg = <optimized out>
uid = 106
address_count = <optimized out>
next = <optimized out>
serialize_key = 0x0
delivery_count = 0
parmax = 2
poffset = <optimized out>
__FUNCTION__ = "do_remote_deliveries"
#12 0x000056111d1af579 in deliver_message (id=id at entry=0x56111e18b239 "1noNQY-0003Vx-PC", forced=forced at entry=0, give_up=give_up at entry=0) at ./b-exim4-daemon-custom/build-Linux-x86_64/deliver.c:7255
i = <optimized out>
rc = <optimized out>
final_yield = 0
now = <optimized out>
addr_last = <optimized out>
filter_message = 0x0
process_recipients = <optimized out>
dbblock = {dbptr = 0x56111e430140, lockfd = 7}
dbm_file = <optimized out>
info = <optimized out>
__FUNCTION__ = "deliver_message"
RECIP_QUEUE_FAILED = <optimized out>
#13 0x000056111d1e1a27 in queue_run (start_id=start_id at entry=0x0, stop_id=stop_id at entry=0x0, recurse=recurse at entry=0) at ./b-exim4-daemon-custom/build-Linux-x86_64/queue.c:675
rc = <optimized out>
pid = 0
status = 0
statbuf = {st_dev = 51744, st_ino = 131089, st_nlink = 1, st_mode = 33184, st_uid = 106, st_gid = 110, __pad0 = 0, st_rdev = 0, st_size = 2458, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1652179763, tv_nsec = 725506665}, st_mtim = {tv_sec = 1652179754, tv_nsec = 781257313}, st_ctim = {tv_sec = 1652179754, tv_nsec = 781257313}, __glibc_reserved = {0, 0, 0}}
buffer = "\000H\372\312\375\177\000\000p\030&\035\021V\000\000 \017&\035\021V\000\000\360H\372\312\375\177\000\000p\030&\035\021V\000\000\360H\372\312\375\177\000\000\006\000\000\000\000\000\000\000\\_\033\035\021V\000\000~\001\000\000+\000\000\000\030\242\030\036\021V\000\000\b\000\000\000\060\000\000\000\000J\372\312\375\177\000\000 I\372\312\375\177\000\000\000\365\037[\027EN\374\001\000\000\000\000\000\000\000q~&\035\021V\000\000\001\000\000\000\000\000\000\000籽]\331\177\000\000\a\000\000\000\000\000\000\000\020#\030\036\021V\000\000\bO\376\312\375\177\000\000\264ٶ]\331\177\000\000\257\330\030\036\021V\000\000\000\365\037[\027EN\374acl_checx\377\377\377\377\377\377\377"...
pfd = {3, 5}
fq = 0x56111e18b230
reset_point1 = 0x56111e18b228
i = 0
force_delivery = 0
selectstring_regex = 0x0
selectstring_regex_sender = 0x0
log_detail = 0x56111e18b218 "pid=13528"
subcount = 0
subdirs = "\000\000\000\000\000\000\000\000\277\000\000\000\021V\000\000\240\036,\035\021V\000\000\240\272*\035\021V\000\000x\000\000\000P\000\000\000\000\365\037[\027EN\374\070&\031\036\021V\000\000\035U!\035\021V\000"
qpid = {0, 0, 0, 0}
single_id = 0
__FUNCTION__ = "queue_run"
single_item_retry = <optimized out>
#14 0x000056111d192e7a in main (argc=2, cargv=0x7ffdcafe4f08) at ./b-exim4-daemon-custom/build-Linux-x86_64/exim.c:4797
argv = 0x7ffdcafe4f08
arg_receive_timeout = -1
arg_smtp_receive_timeout = -1
arg_error_handling = 0
filter_sfd = -1
filter_ufd = -1
group_count = <optimized out>
i = <optimized out>
rv = <optimized out>
list_queue_option = <optimized out>
msg_action = 0
msg_action_arg = -1
namelen = <optimized out>
queue_only_reason = 0
recipients_arg = <optimized out>
sender_address_domain = 0
test_retry_arg = -1
test_rewrite_arg = -1
original_egid = <optimized out>
arg_queue_only = <optimized out>
bi_option = <optimized out>
checking = <optimized out>
count_queue = <optimized out>
expansion_test = <optimized out>
extract_recipients = <optimized out>
flag_G = <optimized out>
flag_n = <optimized out>
forced_delivery = 0
f_end_dot = <optimized out>
deliver_give_up = 0
list_queue = 0
list_options = <optimized out>
list_config = <optimized out>
local_queue_only = <optimized out>
more = 1
one_msg_action = 0
opt_D_used = <optimized out>
queue_only_set = <optimized out>
receiving_message = <optimized out>
sender_ident_set = <optimized out>
session_local_queue_only = <optimized out>
unprivileged = 0
removed_privilege = <optimized out>
usage_wanted = <optimized out>
verify_address_mode = <optimized out>
verify_as_sender = <optimized out>
rcpt_verify_quota = <optimized out>
version_printed = <optimized out>
alias_arg = <optimized out>
called_as = 0x56111d267e71 ""
cmdline_syslog_name = <optimized out>
start_queue_run_id = <optimized out>
stop_queue_run_id = <optimized out>
expansion_test_message = <optimized out>
ftest_domain = <optimized out>
ftest_localpart = <optimized out>
ftest_prefix = <optimized out>
ftest_suffix = <optimized out>
log_oneline = <optimized out>
malware_test_file = <optimized out>
real_sender_address = <optimized out>
originator_home = 0x56111d25b0bd "/"
sz = <optimized out>
pw = 0x56111d303900 <pwcopy>
statbuf = {st_dev = 22, st_ino = 3, st_nlink = 1, st_mode = 8576, st_uid = 0, st_gid = 5, __pad0 = 0, st_rdev = 34816, st_size = 0, st_blksize = 1024, st_blocks = 0, st_atim = {tv_sec = 1652179760, tv_nsec = 425246092}, st_mtim = {tv_sec = 1652179760, tv_nsec = 425246092}, st_ctim = {tv_sec = 1652165838, tv_nsec = 445246653}, __glibc_reserved = {0, 0, 0}}
passed_qr_pid = <optimized out>
passed_qr_pipe = <optimized out>
group_list = <error reading variable group_list (value requires 262144 bytes, which is more than max-value-size)>
info_flag = <optimized out>
info_stdout = <optimized out>
rsopts = {0x56111d265b3d "f", 0x56111d28d368 "ff", 0x56111d2819f4 "r", 0x56111d25fd6e "rf", 0x56111d25fd71 "rff"}
__FUNCTION__ = "main"
quit)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20220510/6363a1cf/attachment-0001.htm>
More information about the Pkg-exim4-maintainers
mailing list