This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 182311 - IMAPD segfault w/stack corruption
IMAPD segfault w/stack corruption
Status: CLOSED DEFERRED
Product: Fedora Legacy
Classification: Retired
Component: imap (Show other bugs)
rhl7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
DEFER
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-21 14:15 EST by John Dalbec
Modified: 2007-04-18 13:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-22 12:15:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to imapd.c to avoid dereferencing NULL stream. (455 bytes, patch)
2006-02-22 12:20 EST, John Dalbec
no flags Details | Diff

  None (edit)
Description John Dalbec 2006-02-21 14:15:24 EST
Description of problem:
IMAPD segfaults given a particular sequence of commands.  The stack appears to
be corrupt.

Version-Release number of selected component (if applicable):
imap-2001a-10.1.legacy

How reproducible:
always

Steps to Reproduce:
1. mkdir Mail/
2. touch Sent
3. imapd << EOF
A1 LOGIN jpdalbec ********
A7 SELECT INBOX
A13 EXAMINE Mail
A14 STATUS Sent (MESSAGES RECENT UNSEEN UIDNEXT UIDVALIDITY)
EOF
  
Actual results:
Segmentation fault

Expected results:
Program exit after end of file

Additional info:
[root@dalbec128-rh73 jpdalbec]# gdb imapd
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run < imapd.segfault.minimal
Starting program: /usr/sbin/imapd < imapd.segfault.minimal
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
dalbec128-rh73.meshel.ysu.edu.localdomain IMAP4rev1 2001.315rh at Tue, 21 Feb
2006 14:16:47 -0500 (EST)
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
A1 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS SCAN SORT
THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User jpdalbec authenticated
* 4 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1140549260] UID validity status
* OK [UIDNEXT 5] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags
* OK [UNSEEN 1] first unseen message in /var/spool/mail/jpdalbec
A7 OK [READ-WRITE] SELECT completed
A13 NO EXAMINE failed: Can't open Mail: not a selectable mailbox
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x0804f834 in strcpy ()
(gdb) bt
#0  0x0804f834 in strcpy ()
#1  0xbfffe218 in ?? ()
#2  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
Comment 1 John Dalbec 2006-02-22 12:14:59 EST
Once I built imap with debugging on, it was obvious.  It's a null pointer
dereference, so it's not exploitable AFAIK.
--- imap-2001a/src/imapd/imapd.c.orig   Wed Feb 22 11:44:01 2006
+++ imap-2001a/src/imapd/imapd.c        Wed Feb 22 11:44:46 2006
@@ -942,7 +942,7 @@
            if (state == LOGOUT) response = lose;
                                /* get mailbox status */
            else if (lastsel && (!strcmp (s,lastsel) ||
-                                !strcmp (s,stream->mailbox))) {
+                                stream && !strcmp (s,stream->mailbox))) {
              unsigned long unseen;
 #ifndef ENTOURAGE_BRAIN_DAMAGE
                                /* snarl at cretins which do this */
Comment 2 John Dalbec 2006-02-22 12:20:33 EST
Created attachment 125044 [details]
Patch to imapd.c to avoid dereferencing NULL stream.

Note You need to log in before you can comment on or make changes to this bug.