310711 – akonadiserver crashes on malformed input to UNIX socket

Bug 310711 - akonadiserver crashes on malformed input to UNIX socket

Summary: akonadiserver crashes on malformed input to UNIX socket

Status:	RESOLVED FIXED

Alias:	None

Product:	Akonadi
Classification:	Frameworks and Libraries
Component:	server (show other bugs)
Version:	1.9.2
Platform:	Debian unstable Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-26 14:11 UTC by Tim Brown
Modified:	2015-08-24 23:31 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Brown 2012-11-26 14:11:45 UTC

Hi,

I don't believe this is a security flaw as it affects the UNIX socket which is only accessible to the root and owner user.  However, I found that akonadiserver crashes on malformed input.  Reproducer as follows:

$ perl -e 'print "\n"' | socat UNIX:/tmp/akonadi-tmb.HoHuFd/akonadiserver.socket STDIO

This results in:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6013fe7700 (LWP 15368)]
0x00000000004db260 in ?? ()
(gdb) bt
#0  0x00000000004db260 in ?? ()
#1  0x00000000004233bf in ?? ()
#2  0x00007f6021a5f54f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3  0x00007f6021a5f54f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#4  0x00007f602165036c in ?? () from /usr/lib/x86_64-linux-gnu/libQtNetwork.so.4
#5  0x00007f6021654952 in QAbstractSocket::waitForBytesWritten(int) () from /usr/lib/x86_64-linux-gnu/libQtNetwork.so.4
#6  0x00000000004228c3 in ?? ()
#7  0x0000000000422cce in ?? ()
#8  0x00007f602194ed0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#9  0x00007f601fc5fb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#10 0x00007f601ff4fa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()
(gdb) x/1i $pc
=> 0x4db260:    mov    0x8(%rsi),%rax
(gdb) i r rsi rax
rsi            0x0      0
rax            0x1      1

$rax is the number of bytes that the user has supplied.

Comment 1 Daniel Vrátil 2013-06-09 14:27:30 UTC

I was unable to reproduce the crash with Akonadi 1.9.2. With your command, the server correctly replies:

* OK Akonadi Almost IMAP Server [PROTOCOL 30]

Comment 2 Tim Brown 2013-06-09 15:18:42 UTC

(In reply to comment #1)
> I was unable to reproduce the crash with Akonadi 1.9.2. With your command,
> the server correctly replies:
> 
> * OK Akonadi Almost IMAP Server [PROTOCOL 30]

ii  akonadi-server                        1.9.2-2                            amd64        Akonadi PIM storage service

# gdb akonadiserver `pgrep akonadiserver`
GNU gdb (GDB) 7.6-debian
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/akonadiserver...(no debugging symbols found)...done.
Attaching to program: /usr/bin/akonadiserver, process 5511
Reading symbols from /usr/lib/x86_64-linux-gnu/libQtCore.so.4...Reading symbols from /usr/lib/debug/.build-id/b2/51608a15ef520d2f57b0d34eb263bf344c0992.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libQtCore.so.4
Reading symbols from /usr/lib/x86_64-linux-gnu/libQtNetwork.so.4...Reading symbols from /usr/lib/debug/.build-id/12/34f060d2c25074840c1325c473a3ba3ca1972b.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libQtNetwork.so.4
Reading symbols from /usr/lib/x86_64-linux-gnu/libQtSql.so.4...Reading symbols from /usr/lib/debug/.build-id/25/081dec7019822b2d0419d30d0d27c5d4620183.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libQtSql.so.4
Reading symbols from /usr/lib/x86_64-linux-gnu/libQtXml.so.4...Reading symbols from /usr/lib/debug/.build-id/64/b3e46de6ef2bff9d9fb56c291c203a45c725ad.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libQtXml.so.4
Reading symbols from /usr/lib/libakonadiprotocolinternals.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libakonadiprotocolinternals.so.1
Reading symbols from /usr/lib/x86_64-linux-gnu/libQtDBus.so.4...Reading symbols from /usr/lib/debug/.build-id/c2/13e1265d4fce0fee0ee15b0997fae121496d95.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libQtDBus.so.4
Reading symbols from /usr/lib/libsoprano.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsoprano.so.4
Reading symbols from /usr/lib/libboost_program_options.so.1.49.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libboost_program_options.so.1.49.0
Reading symbols from /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libstdc++.so.6
Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libgcc_s.so.1
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6
Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libpthread-2.17.so...done.
done.
[New LWP 5543]
[New LWP 5542]
[New LWP 5541]
[New LWP 5540]
[New LWP 5539]
[New LWP 5538]
[New LWP 5537]
[New LWP 5536]
[New LWP 5534]
[New LWP 5533]
[New LWP 5532]
[New LWP 5531]
[New LWP 5530]
[New LWP 5529]
[New LWP 5512]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Loaded symbols for /lib/x86_64-linux-gnu/libpthread.so.0
Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libdl-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2
Reading symbols from /lib/x86_64-linux-gnu/librt.so.1...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/librt-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/librt.so.1
Reading symbols from /lib/x86_64-linux-gnu/libglib-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libglib-2.0.so.0
Reading symbols from /lib/x86_64-linux-gnu/libm.so.6...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libm-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libm.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/ld-2.17.so...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/x86_64-linux-gnu/libdbus-1.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libdbus-1.so.3
Reading symbols from /lib/x86_64-linux-gnu/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libpcre.so.3
Reading symbols from /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so...Reading symbols from /usr/lib/debug/usr/lib/x86_64-linux-gnu/gconv/UTF-16.so...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so
Reading symbols from /usr/lib/x86_64-linux-gnu/libicui18n.so.48...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libicui18n.so.48
Reading symbols from /usr/lib/x86_64-linux-gnu/libicuuc.so.48...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libicuuc.so.48
Reading symbols from /usr/lib/x86_64-linux-gnu/libicudata.so.48...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libicudata.so.48
Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libnss_compat-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_compat.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libnsl-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libnsl.so.1
Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libnss_nis-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_nis.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libnss_files-2.17.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2
Reading symbols from /usr/lib/x86_64-linux-gnu/qt4/plugins/sqldrivers/libqsqlmysql.so...Reading symbols from /usr/lib/debug/.build-id/b8/4c996f52b12cf9ab286332047c68df5f0d3087.debug...done.
done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/qt4/plugins/sqldrivers/libqsqlmysql.so
Reading symbols from /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18
0x00007fcaf2ed01bd in poll () at ../sysdeps/unix/syscall-template.S:81
(gdb) cont
Continuing.
[New Thread 0x7fcac67fc700 (LWP 5589)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fcac67fc700 (LWP 5589)]
0x00000000004c67d0 in ?? ()
(gdb) bt
#0  0x00000000004c67d0 in ?? ()
#1  0x000000000042063f in ?? ()
#2  0x00007fcaf49f354f in QMetaObject::activate (sender=0x10df6d0, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3547
#3  0x00007fcaf49f354f in QMetaObject::activate (sender=sender@entry=0x10daa28, m=m@entry=0x7fcaf4d30460 <QIODevice::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x0)
    at kernel/qobject.cpp:3547
#4  0x00007fcaf4a3c0c0 in QIODevice::readyRead (this=this@entry=0x10daa28) at .moc/release-shared/moc_qiodevice.cpp:105
#5  0x00007fcaf45e33cc in QAbstractSocketPrivate::canReadNotification (this=this@entry=0x1104750) at socket/qabstractsocket.cpp:654
#6  0x00007fcaf45e79b2 in QAbstractSocket::waitForBytesWritten (this=0x10daa28, msecs=30000) at socket/qabstractsocket.cpp:1966
#7  0x000000000041f9d3 in ?? ()
#8  0x0000000000421333 in ?? ()
#9  0x00007fcaf48e2d0b in QThreadPrivate::start (arg=0x10ffd20) at thread/qthread_unix.cpp:307
#10 0x00007fcaf2bdee0e in start_thread (arg=0x7fcac67fc700) at pthread_create.c:311
#11 0x00007fcaf2edb95d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) quit
A debugging session is active.

	Inferior 1 [process 5511] will be detached.

Quit anyway? (y or n) Detaching from program: /usr/bin/akonadiserver, process 5511

Comment 3 Tim Brown 2013-06-09 15:36:09 UTC

#0  Akonadi::ImapStreamParser::readString (this=0x0) at ../../server/src/imapstreamparser.cpp:57
#1  0x000000000042063f in Akonadi::AkonadiConnection::slotNewData (this=0x23fc370) at ../../server/src/akonadiconnection.cpp:124
#2  0x00007f332f32254f in QMetaObject::activate (sender=0x23b5db0, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3547
#3  0x00007f332f32254f in QMetaObject::activate (sender=sender@entry=0x2424ce8, m=m@entry=0x7f332f65f460 <QIODevice::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x0)
    at kernel/qobject.cpp:3547
#4  0x00007f332f36b0c0 in QIODevice::readyRead (this=this@entry=0x2424ce8) at .moc/release-shared/moc_qiodevice.cpp:105
#5  0x00007f332ef123cc in QAbstractSocketPrivate::canReadNotification (this=this@entry=0x2424d40) at socket/qabstractsocket.cpp:654
#6  0x00007f332ef169b2 in QAbstractSocket::waitForBytesWritten (this=0x2424ce8, msecs=30000) at socket/qabstractsocket.cpp:1966
#7  0x000000000041f9d3 in Akonadi::AkonadiConnection::writeOut (this=this@entry=0x23fc370, data=...) at ../../server/src/akonadiconnection.cpp:178
#8  0x0000000000421333 in Akonadi::AkonadiConnection::run (this=0x23fc370) at ../../server/src/akonadiconnection.cpp:100
#9  0x00007f332f211d0b in QThreadPrivate::start (arg=0x23fc370) at thread/qthread_unix.cpp:307
#10 0x00007f332d50de0e in start_thread (arg=0x7f33157fa700) at pthread_create.c:311
#11 0x00007f332d80a95d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Line 57 is as follows:

  if ( !waitForMoreData( m_data.length() == 0 ) )

From gdb:

(gdb) print m_data
Cannot access memory at address 0x8
(gdb) x/1i $pc
=> 0x4c67d0 <Akonadi::ImapStreamParser::readString()+32>:       mov    0x8(%rsi),%rax
x/1x $rsi
Cannot access memory at address 0x0